oxd-ruby 0.1.9 → 1.0.2

data/lib/oxd/config.rb

@@ -1,10 +1,10 @@
 require 'active_support/configurable'
 
 # @author Inderpal Singh
-# @note supports oxd-version 3.1.1
+# @note supports oxd-version 3.1.2
 module Oxd
 
-  # Configures global settings for Oxd
+  # Configures global settings for oxd
   # @yield config
   # @example
   #   Oxd.configure do |config|
@@ -17,7 +17,7 @@ module Oxd
     end
   end
 
-  # Global settings for Oxd
+  # Global settings for oxd
   def self.config
     @config
   end
@@ -32,7 +32,6 @@ module Oxd
     config_accessor :client_secret
     config_accessor :client_name
     config_accessor :authorization_redirect_uri
-    config_accessor :logout_redirect_uri
     config_accessor :post_logout_redirect_uri
     config_accessor :scope
     config_accessor :grant_types
@@ -43,9 +42,8 @@ module Oxd
     config_accessor :client_token_endpoint_auth_method
     config_accessor :client_request_uris
     config_accessor :contacts
-    config_accessor :client_logout_uris
+    config_accessor :client_frontchannel_logout_uris
     config_accessor :connection_type
-    config_accessor :oxd_host
     config_accessor :dynamic_registration
     config_accessor :prompt
     config_accessor :id_token
@@ -56,6 +54,8 @@ module Oxd
     config_accessor :client_sector_identifier_uri
     config_accessor :ui_locales
     config_accessor :claims_locales
+    config_accessor :claims_redirect_uri
+    config_accessor :op_discovery_path
     config_accessor :protection_access_token
 
     # define param_name writer
@@ -68,17 +68,19 @@ module Oxd
     class_eval writer, __FILE__, line
   end
 
-  #[oxd]
+  # ****** config to hold the information about the oxd module that has been deployed (host, port, etc.) ******
   # oxd_host_ip : the host is generally localhost as all communication are carried out between oxd-ruby and oxd server using sockets.
   # oxd_host_port: the port is the one which is configured during the oxd deployment
   
-  #[client]
+  # ****** config to hold the information which are specific to website like the redirect uris ******
+  # op_host: Host URL of the OpenID Provider
   # application_type: the app_type is generally 'web' although 'native' can be used for native app
-  # authorization_redirect_uri: [REQUIRED] this is the primary redirect URL of the website or app
-  # => the first one is always your primary uri set in authorization_redirect_uri
+  # prompt: 'login' is required if you want to force alter current user session
+  # authorization_redirect_uri: [REQUIRED] Redirect uri to which user will be redirected after authorization
   # post_logout_redirect_uri: [OPTIONAL] website's public uri to call upon logout
-  # client_logout_uris:  [REQUIRED, LIST] logout uris of the client
-  # grant_types: [OPTIONAL, LIST] grant types to "authorization_code" or "refresh_token"
+  # client_frontchannel_logout_uris:  [REQUIRED, LIST] logout uris of the client which will be called by the OpenID provider when logout happens. This is a good place to clear session/cookies.
+  # grant_types: [OPTIONAL, LIST] grant types supported by the openid server, ["authorization_code", "client_credentials"]
+  # => 'client_credentials' is required for the UMA
   # acr_values: [OPTIONAL, LIST] the values are "basic" and "duo"
   # client_jwks_uri: [OPTIONAL]
   # client_token_endpoint_auth_method: [OPTIONAL]
@@ -94,8 +96,7 @@ module Oxd
   	config.prompt = "login"
   	config.authorization_redirect_uri = "https://gluu.example.com/callback"
   	config.post_logout_redirect_uri = "https://gluu.example.com/logout"
-  	config.client_logout_uris = ["https://gluu.example.com/callback"]
-  	config.logout_redirect_uri = 'https://gluu.example.com/logout'
+  	config.client_frontchannel_logout_uris = ["https://gluu.example.com/callback"]
   	config.grant_types = []
   	config.acr_values = ["basic"]
   	config.client_jwks_uri = ""
@@ -110,8 +111,9 @@ module Oxd
     config.client_sector_identifier_uri = ""
     config.ui_locales = []
     config.claims_locales = []
+    config.claims_redirect_uri = []
+    config.op_discovery_path = ""
     config.protection_access_token = ""
-    config.oxd_host = ""
     config.dynamic_registration = true
     config.connection_type = 'local'
   end 

data/lib/oxd/errors.rb

@@ -0,0 +1,33 @@
+module Oxd
+  # Error raised by oxd-ruby whenever an oxd Server Error is reported
+  class ServerError < StandardError
+    def initialize(errorObj)
+    	error_msg = "oxd Server Error: #{errorObj['error']}\n #{errorObj['error_description']}"
+      super(error_msg)
+    end
+  end
+
+  # Error raised when oxd-server returns "invalid_ticket" error for the `uma_rp_get_rpt` command.
+  class InvalidTicketError < StandardError
+    def initialize(errorObj)
+    	error_msg = "Invalid Ticket Error: #{errorObj['error_description']}"
+      super(error_msg)
+    end
+  end
+
+  # Error raised when oxd-server returns a "need_info" error for the `uma_rp_get_rpt` command.
+  class NeedInfoError < StandardError
+    def initialize(errorObj)
+    	error_msg = "#{errorObj}"
+      super(error_msg)
+    end
+  end
+
+  # Error raised when UMA RP does an `uma_rp_check_access` on unprotected resource and the oxd server returns 'invalid_request' response.
+  class InvalidRequestError < StandardError
+    def initialize(errorObj)
+    	error_msg = "Invalid Request Error: #{errorObj['error_description']}"
+      super(error_msg)
+    end
+  end
+end

data/lib/oxd/oxd_connector.rb

@@ -5,10 +5,10 @@ require 'json'
 require 'uri'
 
 # @author Inderpal Singh
-# @note supports oxd-version 3.1.1
+# @note supports oxd-version 3.1.2
 module Oxd
 
-	# A class which takes care of the socket communication with oxD Server.
+	# A class which takes care of the socket communication with oxd Server.
 	class OxdConnector
 
 	    # class constructor
@@ -21,52 +21,50 @@ module Oxd
 	    	@response_data = Hash.new
 	    	@configuration = Oxd.config
 
-			logger(:log_msg => "Problem with json data : authorization_redirect_uri can't be blank") if @configuration.authorization_redirect_uri.empty?
-			logger(:log_msg => "#{@configuration.oxd_host_ip} is not a valid IP address") if (IPAddr.new(@configuration.oxd_host_ip) rescue nil).nil?
-			logger(:log_msg => "#{@configuration.oxd_host_port} is not a valid port for socket. Port must be integer and between from 0 to 65535") if (!@configuration.oxd_host_port.is_a?(Integer) || (@configuration.oxd_host_port < 0 && @configuration.oxd_host_port > 65535))	
+			trigger_error("Problem with json data : authorization_redirect_uri can't be blank") if @configuration.authorization_redirect_uri.empty?
+			trigger_error("#{@configuration.oxd_host_ip} is not a valid IP address") if (IPAddr.new(@configuration.oxd_host_ip) rescue nil).nil?
+			trigger_error("#{@configuration.oxd_host_port} is not a valid port for socket. Port must be integer and between from 0 to 65535") if (!@configuration.oxd_host_port.is_a?(Integer) || (@configuration.oxd_host_port < 0 && @configuration.oxd_host_port > 65535))
 	    end
 
 	    # Checks the validity of command that is to be passed to oxd-server
 	    def validate_command
-	    	command_types = ['setup_client', 'get_client_token', 'get_authorization_url','update_site_registration','get_tokens_by_code','get_access_token_by_refresh_token', 'get_user_info', 'register_site', 'get_logout_uri','get_authorization_code','uma_rs_protect','uma_rs_check_access','uma_rp_get_rpt','uma_rp_get_claims_gathering_url']
+	    	command_types = ['setup_client', 'get_client_token', 'introspect_access_token', 'get_authorization_url','update_site','remove_site','get_tokens_by_code','get_access_token_by_refresh_token', 'get_user_info', 'register_site', 'get_logout_uri','get_authorization_code','uma_rs_protect','uma_rs_check_access','uma_rp_get_rpt','uma_rp_get_claims_gathering_url','introspect_rpt']
 	    	if (!command_types.include?(@command))
-				logger(:log_msg => "Command: #{@command} does not exist! Exiting process.")
+				trigger_error("Command: #{@command} does not exist! Exiting process.")
         	end
 	    end
 
-		# method to communicate with the oxD server
+		# method to communicate with the oxd server
 		# @param request [JSON] representation of the JSON command string
 		# @param char_count [Integer] number of characters to read from response
-		# @return response from the oxD Server
+		# @return response from the oxd Server
 		def oxd_socket_request(request, char_count = 8192)
 			host = @configuration.oxd_host_ip     # The web server
 			port = @configuration.oxd_host_port   # Default HTTP port
 
-			if(!socket = TCPSocket.new(host, port) )  # Connect to Oxd server
-				logger(:log_msg => "Socket Error : Couldn't connect to socket ")
+			if(!socket = TCPSocket.new(host, port) )  # Connect to oxd server
+				trigger_error("Socket Error : Couldn't connect to socket")
 			else
-				logger(:log_msg => "Client: socket::socket_connect connected : #{request}", :error => "")
+				logger("Client: socket::socket_connect connected : #{request}")
 			end
 			
 			socket.print(request)               # Send request
 			response = socket.recv(char_count)  # Read response
 			if(response)
-				logger(:log_msg => "Client: oxd_socket_response: #{response}", :error => "")
+				logger("Client: oxd_socket_response: #{response}")
 	        else
-				logger(:log_msg => "Client: oxd_socket_response : Error socket reading process.")
+				trigger_error("Client: oxd_socket_response : Error socket reading process.")
 	        end
 	        # close connection
 	        if(socket.close)
-	        	logger(:log_msg => "Client: oxd_socket_connection : disconnected.", :error => "")
+	        	logger("Client: oxd_socket_connection : disconnected.")
 	        end
-	        #logger(:log_msg => response)
-			#abort
 	        return response
 		end
 		
-		# method to communicate with the oxD-to-http server
+		# method to communicate with the oxd-to-https server
 		# @param request_params [JSON] representation of the JSON command string
-		# @return response from the oxD-to-http server
+		# @return response from the oxd-to-https server
 		def oxd_http_request(request_params, command = "")
 			uri = URI.parse("https://127.0.0.1/"+command)
 			http = Net::HTTP.new("127.0.0.1", 8443)
@@ -80,63 +78,67 @@ module Oxd
 				request.add_field('Authorization','Bearer '+@configuration.protection_access_token)
 			end
 			request.body = request_params
-			logger(:log_msg => "Sending oxd_http_request command #{command} with data #{request_params.inspect}", :error => "")
-			response = http.request(request)
-			response2 = response.body
-			logger(:log_msg => "oxd_http_request response #{response2}", :error => "")
-			return response2
+			logger("Sending oxd_http_request command #{command} with data #{request_params.inspect}")
+			http_response = http.request(request)
+			response = http_response.body
+			logger("oxd_http_request response #{response}")
+			return response
 		end
 
 		# @param comm [String] command string for oxd-to-http
-		# method to send commands to the oxD server and oxd-to-http and to recieve the response via {#oxd_socket_request}
-		# @return [JSON] @response_object : response from the oxd server in JSON form
+		# method to send commands to the oxd server and oxd-to-http and to recieve the response via {#oxd_socket_request}
+		# @return [JSON] response from the oxd server in JSON form
 	    def request(comm = "")
 			
 	    	uri = URI.parse(@configuration.authorization_redirect_uri)	
-			logger(:log_msg => "Please enable SSL on your website or check URIs in Oxd configuration.") if (uri.scheme != 'https')
+			trigger_error("Please enable SSL on your website or check URIs in oxd configuration.") if (uri.scheme != 'https')
 	    	validate_command
 	    	
 	    	if(@configuration.connection_type == 'local')
 				jsondata = getData.to_json
 				if(!is_json? (jsondata))
-					logger(:log_msg => "Sending parameters must be JSON. Exiting process.")
-				end
+					trigger_error("Sending parameters must be JSON. Exiting process.")
+				end				
 				length = jsondata.length
 				if( length <= 0 )
-					logger(:log_msg => "JSON data length must be more than zero. Exiting process.")
+					trigger_error("JSON data length must be more than zero. Exiting process.")
 				else
 					length = length <= 999 ? sprintf('0%d', length) : length
 				end
 				@response_json = oxd_socket_request((length.to_s + jsondata).encode("UTF-8"))
 				@response_json.sub!(@response_json[0..3], "")
 	        else
-				jsondata = getData2.to_json
+				jsondata = @params.to_json
 				@response_json = oxd_http_request(jsondata, comm)
 	        end
 
 
 	        if (@response_json)
 	            response = JSON.parse(@response_json)
-	            if (response['status'] == 'error') 
-	    			logger(:log_msg => "OxD Server Error : #{response['data']['error_description']}")
-	            elsif (response['status'] == 'ok')
-					
+	            if (response['status'] == 'error')	            	
+            		raise ServerError, response['data'] if response['data']['error'] == 'internal_error'
+			        raise NeedInfoError, response['data'] if response['data']['error'] == 'need_info'			            
+			        raise InvalidTicketError, response['data'] if response['data']['error'] == 'invalid_ticket'
+			    	raise InvalidRequestError, response['data'] if response['data']['error'] == 'invalid_request'                
+			            
+	    			trigger_error("oxd Server Error : #{response['data']['error_description']}")
+	            elsif (response['status'] == 'ok')					
 	                @response_object = JSON.parse(@response_json)
 	            end
 	        else
-	        	logger(:log_msg => "Response is empty. Exiting process.")
+	        	trigger_error("Response is empty. Exiting process.")
 	        end
 	        
 	        return @response_object
 	    end
 
-		# @return [Mixed] @response_object set by request method
+		# @return [Mixed] response object set by request method
 	    def getResponseObject
 	    	return @response_object
 	    end
 
-	    # extracts 'data' parameter from @response_object
-	    # @return [Mixed] @response_data
+	    # extracts 'data' parameter from response object
+	    # @return [Mixed] response data
 	    def getResponseData
 	    	if (!@response_object)
 	            @response_data = 'Data is empty';
@@ -153,11 +155,6 @@ module Oxd
         	return @data
 	    end
 	    
-	    def getData2
-	    	@data = @params
-        	return @data
-	    end
-
     	# checks whether the passed string is in JSON format or not
     	# @param  string_to_validate [String]
     	# @return [Boolean]
@@ -170,15 +167,20 @@ module Oxd
  		end
 
  		# Logs server response and errors to log file
- 		# @param args [Hash] {:log_msg, :error} response to print in log file and raise error
+ 		# @param log_msg [String], response to print in log file and raise error
  		# @raise RuntimeError
- 		def logger(args={})
+ 		def logger(log_msg)
  			# Initialize Log file
 			# Location : app_root/log/oxd-ruby.log
 			@logger ||= Logger.new("log/oxd-ruby.log")
-			@logger.info(args[:log_msg])
+			@logger.info(log_msg)
+		end
 
-			raise (args[:error] || args[:log_msg]) if args[:error] != ""
-		end		
+		# Logs generated errors to log file
+		# @raise RuntimeError
+		def trigger_error(msg)
+			logger(msg)
+			raise msg
+		end
 	end
 end

data/lib/oxd/uma_commands.rb

@@ -1,5 +1,5 @@
 # @author Inderpal Singh
-# @note supports oxd-version 3.1.1
+# @note supports oxd-version 3.1.2
 module Oxd
 
 	require 'json'
@@ -13,13 +13,52 @@ module Oxd
 			super
 		end	
 
+		# default params to send with every request
+		def default_params
+			defaults = {
+				"oxd_id" => @configuration.oxd_id,
+				"protection_access_token" => @configuration.protection_access_token
+			}
+		end
+
 		# @param path [STRING] REQUIRED
 		# @param conditions [HASH] REQUIRED (variable number of conditions can be passed)
 		# @return [ARRAY] resources
-		# @example
-		#   condition1 = {:httpMethods => ["GET"], :scopes => ["http://photoz.example.com/dev/actions/view"]}
-		#   condition2 = {:httpMethods => ["PUT", "POST"], :scopes => ["http://photoz.example.com/dev/actions/all","http://photoz.example.com/dev/actions/add"],:ticketScopes => ["http://photoz.example.com/dev/actions/add"]}
+		# @example : 1
+		#   condition1 = {
+		#		:httpMethods => ["GET"],
+		#		:scopes => ["http://photoz.example.com/dev/actions/view"]
+		#	}
+		#   condition2 = {
+		#		:httpMethods => ["PUT", "POST"],
+		#		:scopes => [
+		#			"http://photoz.example.com/dev/actions/all",
+		#			"http://photoz.example.com/dev/actions/add"
+		#		],
+		#		:ticketScopes => ["http://photoz.example.com/dev/actions/add"]
+		#	}
 		#   uma_add_resource("/photo", condition1, condition2)
+		#
+		# @example : 2 (with scope expressions)
+		# 	condition = {
+		#		:httpMethods => ["GET"],
+		#		:scope_expression => {
+		#			:rule => { 
+		#				:and => [
+		#					{
+		#						:or => [{:var => 0}, {:var => 1}]
+		#					},
+		#					{:var => 2}
+		#				]
+		#			},
+		#			:data => [
+		#				"http://photoz.example.com/dev/actions/all",
+		#				"http://photoz.example.com/dev/actions/add",
+		#				"http://photoz.example.com/dev/actions/internalClient"
+		#			]
+		#		}
+		#	}
+		#   uma_add_resource("/photo", condition)
 		# combines multiple resources into @resources array to pass to uma_rs_protect method
 		def uma_add_resource(path, *conditions)			
 		    @resources.push({:path => path, :conditions => conditions})			
@@ -29,14 +68,10 @@ module Oxd
 		# @raise RuntimeError if @resources is nil
 		# method to protect resources with UMA resource server
 		def uma_rs_protect
-			logger(:log_msg => "Please set resources with uma_add_resource(path, *conditions) method first.") if(@resources.nil?)
-			logger(:log_msg => "UMA configuration #{@configuration}", :error => '')
+			trigger_error("Please set resources with uma_add_resource(path, *conditions) method first.") if(@resources.nil?)
+			logger("UMA configuration #{@configuration}")
 			@command = 'uma_rs_protect'
-			@params = {
-				"oxd_id" => @configuration.oxd_id,
-				"resources" => @resources,
-				"protection_access_token" => @configuration.protection_access_token
-			}
+			@params = default_params.merge({ "resources" => @resources })
 	        request('uma-rs-protect')
 	        getResponseData['oxd_id']
 		end
@@ -49,25 +84,24 @@ module Oxd
 		# @param state [STRING] OPTIONAL, state that is returned from uma_rp_get_claims_gathering_url command
 		# @return [Hash] response data (access_token, token_type, pct, upgraded)
 		# method for obtaining RPT to gain access to protected resources at the UMA resource server
-		def uma_rp_get_rpt( claim_token = nil, claim_token_format = nil, pct = nil, rpt = nil, scope = nil, state = nil )
+		def uma_rp_get_rpt( claim_token: nil, claim_token_format: nil, pct: nil, rpt: nil, scope: nil, state: nil )
 			@command = 'uma_rp_get_rpt'
-			@params = {
-				"oxd_id" => @configuration.oxd_id,
+	        @params = default_params.merge({
 				"ticket" => @configuration.ticket,
 				"claim_token" => claim_token,
 				"claim_token_format" => claim_token_format,
 				"pct" => pct,
 				"rpt" => (!rpt.nil?)? rpt : @configuration.rpt,
 				"scope" => scope,
-				"state" => state,
-				"protection_access_token" => @configuration.protection_access_token
-	        }
+				"state" => state
+	        })
 	        request('uma-rp-get-rpt')
 	        
 	        if getResponseData['error'] == 'need_info' && !getResponseData['details']['ticket'].empty?
-	        	@configuration.ticket = getResponseData['details']['ticket']	        
+	        	@configuration.ticket = getResponseData['details']['ticket']
+	        else
+	        	@configuration.rpt = getResponseData['access_token']
 	        end
-
 	        getResponseData
 		end
 
@@ -77,21 +111,17 @@ module Oxd
 		# method to check if we have permission to access particular resource or not
 		def uma_rs_check_access(path, http_method)
 			if (path.empty? || http_method.empty? || (!['GET', 'POST', 'PUT', 'DELETE'].include? http_method))
-            	logger(:log_msg => "Empty/Wrong value in place of path or http_method.")
+            	trigger_error("Empty/Wrong value in place of path or http_method.")
         	end
 			@command = 'uma_rs_check_access'
-			@params = {
-				"oxd_id" => @configuration.oxd_id,
+	        @params = default_params.merge({
 				"rpt" => @configuration.rpt,
 				"path" => path,
-				"http_method" => http_method,
-				"protection_access_token" => @configuration.protection_access_token
-	        }
+				"http_method" => http_method
+	        })
 	        request('uma-rs-check-access')
 	        if getResponseData['access'] == 'denied' && !getResponseData['ticket'].empty?
-	        	@configuration.ticket = getResponseData['ticket']
-	        elsif getResponseData['access'] == 'granted' 
-	        	@configuration.ticket = ""
+	        	@configuration.ticket = getResponseData['ticket']	        
 	        end
 	        getResponseData
 		end
@@ -101,17 +131,24 @@ module Oxd
 		# method to check if we have permission to access particular resource or not
 		def uma_rp_get_claims_gathering_url( claims_redirect_uri )
 			if (claims_redirect_uri.empty?)
-            	logger(:log_msg => "Empty/Wrong value in place of claims_redirect_uri.")
+            	trigger_error("Empty/Wrong value in place of claims_redirect_uri.")
         	end
 			@command = 'uma_rp_get_claims_gathering_url'
-			@params = {
-				"oxd_id" => @configuration.oxd_id,
+	        @params = default_params.merge({
 				"ticket" => @configuration.ticket,
-				"claims_redirect_uri" => claims_redirect_uri,
-				"protection_access_token" => @configuration.protection_access_token
-	        }
+				"claims_redirect_uri" => claims_redirect_uri
+	        })
 	        request('uma-rp-get-claims-gathering-url')	        
+	        getResponseData["url"]
+		end
+
+		# @return [OBJECT] @response_data
+		# method to gain information about obtained RPT
+		def introspect_rpt
+			@command = 'introspect_rpt'
+			@params = default_params.merge({ "rpt" => @configuration.rpt })
+	        request('introspect-rpt')	        
 	        getResponseData
-		end			
+		end		
 	end
 end