prx_auth-rails 0.3.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aca25d4b6fa954267347e83a2f3565f88d6590130894f87813153cb89b7540af
-  data.tar.gz: 3375fab69a09cce240744a2b6acb8a25ea08eca18640db3e47f2479f6c1038c9
+  metadata.gz: 6af8c934d225009086d72c5503a3ad3db62b95c073063f019a31277c9eacc5bf
+  data.tar.gz: ab82780e90f78e9a3a31515078c9b7530354ad83bf3fd402a05c78514a0c762d
 SHA512:
-  metadata.gz: 249ed7915081dd4a1efe69b69bc631a3353c0536697306d8e4794512f2a79d55b788a0a8fc665f1b47048044122a591c961c898b7853d279c85a8722f015448b
-  data.tar.gz: e00d920cbef8460ea423784aba18e002b2c150d78b87922960fae49ce0f5492c7ffb45e19f2cd4b1a4118f95029e63bfa22b036c81accb9c94102267d47cf1e9
+  metadata.gz: 7af00c69f65cabbb5da5a1ea9fe0a79d85a3b004d9c437fa5c1a5539be22fc21ac346e2956d3f6cebbf07765e6b988d9d291c1b384bf8a56b78a8782d2f8f6af
+  data.tar.gz: c9a17a75d94bf7158b96147c877020f2093c07eb6e5ba345fb4ba37d6fd51df72fb2d5db4fc22ca04832c6954b5f7b9154252fb40a5de4e5878d006b096f02b6

data/.gitignore

@@ -14,4 +14,10 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/dummy/db/
+test/dummy/log/development.log
+test/dummy/log/test.log
+test/log/test.log
 tmp
+.ruby-version
+.DS_Store

data/Guardfile

@@ -0,0 +1,8 @@
+guard :minitest, all_after_pass: true do
+  watch(%r{^test/(.*)\/?test_(.*)\.rb})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/.+_test\.rb})
+  watch(%r{^test/test_helper\.rb})                            { 'test' }
+end

data/README.md

@@ -1,6 +1,7 @@
 # PrxAuth::Rails
 
-Rails integration for next generation PRX Authorization system.
+Rails integration for next generation PRX Authorization system. This
+provides common OpenId authorization patterns used in PRX apps.
 
 ## Installation
 
@@ -14,7 +15,48 @@ And then execute:
 
 ## Usage
 
-That should be it, I think.
+Installing the gem in a Rails project will automatically add the
+appropriate Rack middleware to your Rails application and add two
+methods to your controllers. These methods are:
+
+* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which
+  automatically namespaces queries. The main methods you will be
+interested in are `authorized?`, `globally_authorized?` and `resources`.
+More information can be found in PrxAuth.
+
+* `prx_authenticated?`: returns whether or not this request includes a
+  valid PrxAuth token.
+
+This will let set up the Rails app to be ready for HTTP requests
+associated with an OpenId access token.
+
+### Configuration
+
+Generally, configuration is not required and the gem aims for great
+defaults, but you can override some settings if you need to change the
+default behavior.
+
+If you're using the Rails server-side session flow, you must supply the
+client_id via configuration.
+
+In your rails app, add a file to config/initializers called
+`prx_auth.rb`:
+
+```ruby
+PrxAuth::Rails.configure do |config|
+
+  # enables automatic installation of token parser middleware
+  config.install_middleware = false # default: true
+
+  # automatically adds namespace to all scoped queries, e.g. .authorized?(:foo) will be treated
+  # as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
+  config.namespace = :my_great_ns   # default: derived from Rails::Application name.
+                                    #          e.g. class Feeder < Rails::Application => :feeder
+
+  # Set up the PRX OpenID client_id if using the backend rails sessions flow.
+  config.client_id = '<some client id>'
+end
+```
 
 ## Contributing
 

data/Rakefile

@@ -1 +1,18 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
 require "bundler/gem_tasks"
+require 'rake'
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -0,0 +1,107 @@
+module PrxAuth::Rails
+  class SessionsController < ApplicationController
+    include PrxAuth::Rails::Engine.routes.url_helpers
+
+    skip_before_action :authenticate!
+
+    before_action :set_nonce!, only: :show
+
+    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
+
+    def new
+      set_nonce! unless fetch_nonce.present?
+
+      config = PrxAuth::Rails.configuration
+
+      id_auth_params = {
+        client_id: config.prx_client_id,
+        nonce: fetch_nonce,
+        response_type: 'id_token token',
+        scope: 'openid apps',
+        prompt: 'necessary'
+      }
+
+      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+    end
+
+    def show
+    end
+
+    def auth_error
+      @auth_error_message = params.require(:error)
+    end
+
+    def create
+      jwt_id_claims = id_claims
+      jwt_access_claims = access_claims
+
+      jwt_access_claims['id_token'] = jwt_id_claims.as_json
+
+      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
+                        users_match?(jwt_id_claims, jwt_access_claims)
+                      sign_in_user(jwt_access_claims)
+                      lookup_and_register_accounts_names
+                      after_sign_in_path_for(current_user)
+                    else
+                      auth_error_sessions_path(error: 'verification_failed')
+                    end
+      reset_nonce!
+
+      redirect_to result_path
+    end
+
+    private
+
+    def after_sign_in_path_for(_)
+      return super if defined?(super)
+
+      "/"
+    end
+
+    def id_claims
+      id_token = params.require('id_token')
+      validate_token(id_token)
+    end
+
+    def access_claims
+      access_token = params.require('access_token')
+      validate_token(access_token)
+    end
+
+    def reset_nonce!
+      session[ID_NONCE_SESSION_KEY] = nil
+    end
+
+    def set_nonce!
+      n = session[ID_NONCE_SESSION_KEY]
+      return n if n.present?
+
+      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+    end
+
+    def fetch_nonce
+      session[ID_NONCE_SESSION_KEY]
+    end
+
+    def valid_nonce?(nonce)
+      return false if fetch_nonce.nil?
+
+      fetch_nonce == nonce
+    end
+
+    def users_match?(claims1, claims2)
+      return false if claims1['sub'].nil? || claims2['sub'].nil?
+
+      claims1['sub'] == claims2['sub']
+    end
+
+    def validate_token(token)
+      id_host = PrxAuth::Rails.configuration.id_host
+      prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
+      auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
+      auth_validator.
+        claims.
+        with_indifferent_access
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -0,0 +1,15 @@
+<div class='main'>
+  <section>
+    <h3>Not authorized for this application.</h3>
+
+    <p>Message was: <pre><%= @auth_error_message %></pre>
+    <% if  @auth_error_message == 'invalid_scope' %>
+      Did you add a row in the account_applications table on id.prx?
+    <% end %>
+    </p>
+
+    <p>
+      <a href="<%= new_sessions_path %>">Try logging in again</a>
+    </p>
+  </section>
+</div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -0,0 +1,38 @@
+<div style="display:none;">
+  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+      <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
+      <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= f.submit id: 'sessions-form-submit' %>
+  <% end %>
+</div>
+
+<script type='application/javascript'>
+
+  function parseURLFragment() {
+    let hashParams = {};
+    let e,
+      a = /\+/g,  // Regex for replacing addition symbol with a space
+      r = /([^&;=]+)=?([^&;]*)/g,
+      d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
+      q = window.location.hash.substring(1);
+
+    while (e = r.exec(q))
+      hashParams[d(e[1])] = d(e[2]);
+
+    return hashParams;
+  }
+
+window.addEventListener("load", () => {
+  var idToken = document.querySelector("#id-token-field");
+  var accessToken = document.querySelector("#access-token-field");
+  var submit = document.querySelector("input#sessions-form-submit[type=submit]");
+
+  var hashParams = parseURLFragment();
+
+  accessToken.value = hashParams['access_token'];
+  idToken.value = hashParams['id_token'];
+
+  submit.click();
+});
+
+</script>

data/config/routes.rb

@@ -0,0 +1,7 @@
+PrxAuth::Rails::Engine.routes.draw do
+  scope module: 'prx_auth/rails' do
+    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
+      get 'auth_error', to: 'sessions#auth_error'
+    end
+  end
+end

data/lib/prx_auth/rails.rb

@@ -1,10 +1,18 @@
 require "prx_auth/rails/version"
+require "prx_auth/rails/configuration"
 require "prx_auth/rails/railtie" if defined?(Rails)
+require "prx_auth/rails/engine" if defined?(Rails)
+
 module PrxAuth
   module Rails
     class << self
-      attr_accessor :middleware
+      attr_accessor :configuration
+
+      def configure
+        yield configuration
+      end
     end
-    self.middleware = true
+
+    self.configuration = Configuration.new
   end
 end

data/lib/prx_auth/rails/configuration.rb

@@ -0,0 +1,28 @@
+class PrxAuth::Rails::Configuration
+  attr_accessor :install_middleware,
+                :namespace,
+                :prx_client_id,
+                :id_host
+
+
+  def initialize
+    @install_middleware = true
+    if defined?(::Rails)
+      klass = ::Rails.application.class
+      parent_name = if ::Rails::VERSION::MAJOR >= 6
+                      klass.module_parent_name
+                    else
+                      klass.parent_name
+                    end
+      klass_name = if parent_name.present?
+                     parent_name
+                   else
+                     klass.name
+                   end
+
+      @namespace = klass_name.underscore.intern
+      @prx_client_id = nil
+      @id_host = nil
+    end
+  end
+end

data/lib/prx_auth/rails/engine.rb

@@ -0,0 +1,9 @@
+module PrxAuth
+  module Rails
+    class Engine < ::Rails::Engine
+      config.to_prepare do
+        ::ApplicationController.helper_method [:current_user, :account_name_for]
+      end
+    end
+  end
+end

data/lib/prx_auth/rails/ext/controller.rb

@@ -1,13 +1,91 @@
+require 'prx_auth/rails/token'
+require 'open-uri'
+
 module PrxAuth
   module Rails
     module Controller
+
+      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
+
       def prx_auth_token
-        request.env['prx.auth']
+        rack_auth_token = env_prx_auth_token
+        return rack_auth_token if rack_auth_token.present?
+
+        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
       end
 
       def prx_authenticated?
         !!prx_auth_token
       end
+
+      def authenticate!
+        return true if current_user.present?
+
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
+
+      def current_user
+        return if prx_auth_token.nil?
+
+        PrxAuth::Rails::Token.new(prx_auth_token)
+      end
+
+      def lookup_and_register_accounts_names
+        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
+          lookup_account_names_mapping
+      end
+
+      def account_name_for(id)
+        id = id.to_i
+
+        session[PRX_ACCOUNT_NAME_MAPPING_KEY] ||= {}
+
+        name =
+          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
+            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
+          else
+            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
+          end
+
+        name = "[#{id}] Unknown Account Name" unless name.present?
+
+        name
+      end
+
+      def sign_in_user(token)
+        session['prx.auth'] = token
+      end
+
+      private
+
+      def lookup_account_name_for(id)
+        id = id.to_i
+
+        res = lookup_account_names_mapping([id])
+        res[id]
+      end
+
+      def lookup_account_names_mapping(ids=current_user.resources)
+        id_host = PrxAuth::Rails.configuration.id_host
+        ids_param = ids.map(&:to_s).join(',')
+
+        options = {}
+        options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+
+        accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
+
+        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+
+        mapping
+      end
+
+      def env_prx_auth_token
+        if !defined? @_prx_auth_token
+          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
+        else
+          @_prx_auth_token
+        end
+      end
     end
   end
 end

data/lib/prx_auth/rails/railtie.rb

@@ -9,7 +9,7 @@ module PrxAuth::Rails
     end
 
     initializer 'prx_auth.insert_middleware' do |app|
-      if PrxAuth::Rails.middleware
+      if PrxAuth::Rails.configuration.install_middleware
         app.config.middleware.insert_after Rack::Head, Rack::PrxAuth
       end
     end