prx_auth-rails 0.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ac6efcb3433ddd7f49eaa06285689d79320b8318
-  data.tar.gz: 44c91e2e17b65173218c068abeb642e972123cbd
+SHA256:
+  metadata.gz: 3405e4e72d2c39585111bef4fca339a73ce11ec86a2c288f5c82d8934c0620fe
+  data.tar.gz: 3450063f4c4fdae2464f755222fafee08c627eda3aa8fee1d267db1474db58de
 SHA512:
-  metadata.gz: 542bb85398b96f70a29e1db48f1a7a14b9b1a5a8136dc2284ffcccff2bf10c55fbddef9c8141b4b89ea00a2877b9c30a96e210ba4ac044677fe228ed6bde3873
-  data.tar.gz: f611e92844200d7b7a23f483054722c474f15e4a8081854678617b1939187f1fcabce14b4c5b4442649141a64b8a3a8537d6bc802f623d6380013ec806415fba
+  metadata.gz: edf33f5cf4bc105818bb069554506f0b2d9ef5b8bb18cd1602b2ceb6384991804b5b3268c6bd5c519c08e8503df51c132a9bec045f13995c1d55088194fff489
+  data.tar.gz: 4aa62706ee892c2335756e2c3ae61171b77acc69bfe0ec06433449726f8e884cee4af2031e55e418c6780e9aedc8bfb1c78359c072c089389422a2d4aa15c95b

data/.gitignore

@@ -14,4 +14,10 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/dummy/db/
+test/dummy/log/development.log
+test/dummy/log/test.log
+test/log/test.log
 tmp
+.ruby-version
+.DS_Store

data/Guardfile

@@ -0,0 +1,8 @@
+guard :minitest, all_after_pass: true do
+  watch(%r{^test/(.*)\/?test_(.*)\.rb})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/.+_test\.rb})
+  watch(%r{^test/test_helper\.rb})                            { 'test' }
+end

data/README.md

@@ -1,6 +1,7 @@
 # PrxAuth::Rails
 
-Rails integration for next generation PRX Authorization system.
+Rails integration for next generation PRX Authorization system. This
+provides common OpenId authorization patterns used in PRX apps.
 
 ## Installation
 
@@ -14,7 +15,48 @@ And then execute:
 
 ## Usage
 
-That should be it, I think.
+Installing the gem in a Rails project will automatically add the
+appropriate Rack middleware to your Rails application and add two
+methods to your controllers. These methods are:
+
+* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which
+  automatically namespaces queries. The main methods you will be
+interested in are `authorized?`, `globally_authorized?` and `resources`.
+More information can be found in PrxAuth.
+
+* `prx_authenticated?`: returns whether or not this request includes a
+  valid PrxAuth token.
+
+This will let set up the Rails app to be ready for HTTP requests
+associated with an OpenId access token.
+
+### Configuration
+
+Generally, configuration is not required and the gem aims for great
+defaults, but you can override some settings if you need to change the
+default behavior.
+
+If you're using the Rails server-side session flow, you must supply the
+client_id via configuration.
+
+In your rails app, add a file to config/initializers called
+`prx_auth.rb`:
+
+```ruby
+PrxAuth::Rails.configure do |config|
+
+  # enables automatic installation of token parser middleware
+  config.install_middleware = false # default: true
+
+  # automatically adds namespace to all scoped queries, e.g. .authorized?(:foo) will be treated
+  # as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
+  config.namespace = :my_great_ns   # default: derived from Rails::Application name.
+                                    #          e.g. class Feeder < Rails::Application => :feeder
+
+  # Set up the PRX OpenID client_id if using the backend rails sessions flow.
+  config.client_id = '<some client id>'
+end
+```
 
 ## Contributing
 

data/Rakefile

@@ -1 +1,18 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
 require "bundler/gem_tasks"
+require 'rake'
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -0,0 +1,108 @@
+require 'open-uri'
+
+module PrxAuth::Rails
+  class SessionsController < ApplicationController
+    include PrxAuth::Rails::Engine.routes.url_helpers
+
+    skip_before_action :authenticate!
+
+    before_action :set_nonce!, only: :show
+
+    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
+
+    def new
+      set_nonce! unless fetch_nonce.present?
+
+      config = PrxAuth::Rails.configuration
+
+      id_auth_params = {
+        client_id: config.prx_client_id,
+        nonce: fetch_nonce,
+        response_type: 'id_token token',
+        scope: 'openid apps',
+        prompt: 'necessary'
+      }
+
+      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+    end
+
+    def show
+    end
+
+    def auth_error
+      @auth_error_message = params.require(:error)
+    end
+
+    def create
+      jwt_id_claims = id_claims
+      jwt_access_claims = access_claims
+
+      jwt_access_claims['id_token'] = jwt_id_claims.as_json
+
+      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
+                        users_match?(jwt_id_claims, jwt_access_claims)
+                      sign_in_user(jwt_access_claims)
+                      after_sign_in_path_for(current_user)
+                    else
+                      auth_error_sessions_path(error: 'verification_failed')
+                    end
+      reset_nonce!
+
+      redirect_to result_path
+    end
+
+    private
+
+    def after_sign_in_path_for(_)
+      return super if defined?(super)
+
+      "/"
+    end
+
+    def id_claims
+      id_token = params.require('id_token')
+      validate_token(id_token)
+    end
+
+    def access_claims
+      access_token = params.require('access_token')
+      validate_token(access_token)
+    end
+
+    def reset_nonce!
+      session[ID_NONCE_SESSION_KEY] = nil
+    end
+
+    def set_nonce!
+      n = session[ID_NONCE_SESSION_KEY]
+      return n if n.present?
+
+      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+    end
+
+    def fetch_nonce
+      session[ID_NONCE_SESSION_KEY]
+    end
+
+    def valid_nonce?(nonce)
+      return false if fetch_nonce.nil?
+
+      fetch_nonce == nonce
+    end
+
+    def users_match?(claims1, claims2)
+      return false if claims1['sub'].nil? || claims2['sub'].nil?
+
+      claims1['sub'] == claims2['sub']
+    end
+
+    def validate_token(token)
+      id_host = PrxAuth::Rails.configuration.id_host
+      prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
+      auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
+      auth_validator.
+        claims.
+        with_indifferent_access
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -0,0 +1,15 @@
+<div class='main'>
+  <section>
+    <h3>Not authorized for this application.</h3>
+
+    <p>Message was: <pre><%= @auth_error_message %></pre>
+    <% if  @auth_error_message == 'invalid_scope' %>
+      Did you add a row in the account_applications table on id.prx?
+    <% end %>
+    </p>
+
+    <p>
+      <a href="<%= new_sessions_path %>">Try logging in again</a>
+    </p>
+  </section>
+</div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -0,0 +1,38 @@
+<div style="display:none;">
+  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+      <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
+      <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= f.submit id: 'sessions-form-submit' %>
+  <% end %>
+</div>
+
+<script type='application/javascript'>
+
+  function parseURLFragment() {
+    let hashParams = {};
+    let e,
+      a = /\+/g,  // Regex for replacing addition symbol with a space
+      r = /([^&;=]+)=?([^&;]*)/g,
+      d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
+      q = window.location.hash.substring(1);
+
+    while (e = r.exec(q))
+      hashParams[d(e[1])] = d(e[2]);
+
+    return hashParams;
+  }
+
+window.addEventListener("load", () => {
+  var idToken = document.querySelector("#id-token-field");
+  var accessToken = document.querySelector("#access-token-field");
+  var submit = document.querySelector("input#sessions-form-submit[type=submit]");
+
+  var hashParams = parseURLFragment();
+
+  accessToken.value = hashParams['access_token'];
+  idToken.value = hashParams['id_token'];
+
+  submit.click();
+});
+
+</script>

data/config/routes.rb

@@ -0,0 +1,7 @@
+PrxAuth::Rails::Engine.routes.draw do
+  scope module: 'prx_auth/rails' do
+    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
+      get 'auth_error', to: 'sessions#auth_error'
+    end
+  end
+end

data/lib/prx_auth/rails.rb

@@ -1,10 +1,18 @@
 require "prx_auth/rails/version"
+require "prx_auth/rails/configuration"
 require "prx_auth/rails/railtie" if defined?(Rails)
+require "prx_auth/rails/engine" if defined?(Rails)
+
 module PrxAuth
   module Rails
     class << self
-      attr_accessor :middleware
+      attr_accessor :configuration
+
+      def configure
+        yield configuration
+      end
     end
-    self.middleware = true
+
+    self.configuration = Configuration.new
   end
 end

data/lib/prx_auth/rails/configuration.rb

@@ -0,0 +1,28 @@
+class PrxAuth::Rails::Configuration
+  attr_accessor :install_middleware,
+                :namespace,
+                :prx_client_id,
+                :id_host
+
+
+  def initialize
+    @install_middleware = true
+    if defined?(::Rails)
+      klass = ::Rails.application.class
+      parent_name = if ::Rails::VERSION::MAJOR >= 6
+                      klass.module_parent_name
+                    else
+                      klass.parent_name
+                    end
+      klass_name = if parent_name.present?
+                     parent_name
+                   else
+                     klass.name
+                   end
+
+      @namespace = klass_name.underscore.intern
+      @prx_client_id = nil
+      @id_host = nil
+    end
+  end
+end

data/lib/prx_auth/rails/engine.rb

@@ -0,0 +1,5 @@
+module PrxAuth
+  module Rails
+    class Engine < ::Rails::Engine; end
+  end
+end

data/lib/prx_auth/rails/ext/controller.rb

@@ -1,13 +1,44 @@
+require 'prx_auth/rails/token'
+
 module PrxAuth
   module Rails
     module Controller
       def prx_auth_token
-        request.env['prx.auth']
+        rack_auth_token = env_prx_auth_token
+        return rack_auth_token if rack_auth_token.present?
+
+        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
       end
 
       def prx_authenticated?
         !!prx_auth_token
       end
+
+      def authenticate!
+        return true if current_user.present?
+
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
+
+      def current_user
+        return if prx_auth_token.nil?
+
+        PrxAuth::Rails::Token.new(prx_auth_token)
+      end
+
+      def sign_in_user(token)
+        session['prx.auth'] = token
+      end
+
+      private
+
+      def env_prx_auth_token
+        if !defined? @_prx_auth_token
+          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
+        else
+          @_prx_auth_token
+        end
+      end
     end
   end
 end

data/lib/prx_auth/rails/railtie.rb

@@ -9,8 +9,8 @@ module PrxAuth::Rails
     end
 
     initializer 'prx_auth.insert_middleware' do |app|
-      if PrxAuth::Rails.middleware
-        app.config.middleware.insert ActionDispatch::ParamsParser, Rack::PrxAuth
+      if PrxAuth::Rails.configuration.install_middleware
+        app.config.middleware.insert_after Rack::Head, Rack::PrxAuth
       end
     end
   end

data/lib/prx_auth/rails/token.rb

@@ -0,0 +1,35 @@
+require 'rack/prx_auth'
+
+class PrxAuth::Rails::Token
+  def initialize(token_data)
+    @token_data = token_data
+    @namespace = PrxAuth::Rails.configuration.namespace
+  end
+
+  def authorized?(resource, namespace=nil, scope=nil)
+    namespace, scope = @namespace, namespace if scope.nil? && !namespace.nil?
+    @token_data.authorized?(resource, namespace, scope)
+  end
+
+  def globally_authorized?(namespace, scope=nil)
+    namespace, scope = @namespace, namespace if scope.nil?
+    @token_data.globally_authorized?(namespace, scope)
+  end
+
+  def resources(namespace=nil, scope=nil)
+    namespace, scope = @namespace, namespace if scope.nil? && !namespace.nil?
+    @token_data.resources(namespace, scope)
+  end
+
+  def scopes
+    @token_data.scopes
+  end
+
+  def user_id
+    @token_data.user_id
+  end
+
+  def authorized_account_ids(scope)
+    @token_data.authorized_account_ids(scope)
+  end
+end

data/lib/prx_auth/rails/version.rb

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "0.1.0"
+    VERSION = "1.3.0"
   end
 end