prx_auth-rails 1.0.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb5677550d3e64273eddb57f84d6dc658d3f9ed82a2cb01e6966d9267ad76b53
-  data.tar.gz: d6f0ec6305622e5dbdaaf747e78678361d70d92410f84f77396db5d1254de4ec
+  metadata.gz: '081a5943f3b2b9a79035ea23b3c9d1273ba09938ea3e7351025cb4c3a836b108'
+  data.tar.gz: da3cc2f617261d7e22ad031a43fa903114aa537edb89e90b6de3ab8e132ee7b6
 SHA512:
-  metadata.gz: 720cfa888bbc17b9a677bc8c1944f8735db028a8196f1f170dd18b301c547687b52f466f1c1759f09820064a8317dc4d1499855a60c80a81ba4d2dd464df84aa
-  data.tar.gz: 151ffa59471a1c5c7543148c93f29e02ed67cbcc2d06551f9451d1599375962685bcf460179570a5ea363a237c1958dcadba8a9b234eaf73261f4fc124a879aa
+  metadata.gz: 801452a31c08d21d7c78ff49048f8bf4247d41a0ed7d491bb78165c558464149c9415017939b14351ade8848d81c143b9a1a1ea23cac6605521e654a651720b7
+  data.tar.gz: d4e3bd24d1c11838c1275db062c9bb9c4494a12cd13f39f3ef36cba20d5e539480920c06fd638ced3c9a372b4413797ab1e625e2ecb6e2d8f01bfccbfcfb0d8d

data/.gitignore

@@ -14,6 +14,10 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/dummy/db/
+test/dummy/log/development.log
+test/dummy/log/test.log
+test/log/test.log
 tmp
 .ruby-version
 .DS_Store

data/README.md

@@ -1,6 +1,7 @@
 # PrxAuth::Rails
 
-Rails integration for next generation PRX Authorization system.
+Rails integration for next generation PRX Authorization system. This
+provides common OpenId authorization patterns used in PRX apps.
 
 ## Installation
 
@@ -14,17 +15,32 @@ And then execute:
 
 ## Usage
 
-Installing the gem in a Rails project will automatically add the appropriate Rack middleware to your Rails application and add two methods to your controllers. These methods are:
+Installing the gem in a Rails project will automatically add the
+appropriate Rack middleware to your Rails application and add two
+methods to your controllers. These methods are:
 
-* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which automatically namespaces queries. The main methods you will be interested in are `authorized?`, `globally_authorized?` and `resources`. More information can be found in PrxAuth.
+* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which
+  automatically namespaces queries. The main methods you will be
+interested in are `authorized?`, `globally_authorized?` and `resources`.
+More information can be found in PrxAuth.
 
-* `prx_authenticated?`: returns whether or not this request includes a valid PrxAuth token.
+* `prx_authenticated?`: returns whether or not this request includes a
+  valid PrxAuth token.
+
+This will let set up the Rails app to be ready for HTTP requests
+associated with an OpenId access token.
 
 ### Configuration
 
-Generally, configuration is not required and the gem aims for great defaults, but you can override some settings if you need to change the default behavior.
+Generally, configuration is not required and the gem aims for great
+defaults, but you can override some settings if you need to change the
+default behavior.
+
+If you're using the Rails server-side session flow, you must supply the
+client_id via configuration.
 
-In your rails app, add a file to config/initializers called `prx_auth.rb`:
+In your rails app, add a file to config/initializers called
+`prx_auth.rb`:
 
 ```ruby
 PrxAuth::Rails.configure do |config|
@@ -36,6 +52,9 @@ PrxAuth::Rails.configure do |config|
   # as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
   config.namespace = :my_great_ns   # default: derived from Rails::Application name.
                                     #          e.g. class Feeder < Rails::Application => :feeder
+
+  # Set up the PRX OpenID client_id if using the backend rails sessions flow.
+  config.client_id = '<some client id>'
 end
 ```
 

data/Rakefile

@@ -1,10 +1,18 @@
-require 'bundler/gem_tasks'
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
 require 'rake'
-require 'rake/testtask'
+require "rake/testtask"
 
-Rake::TestTask.new do |t|
+Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
-  t.pattern = 'test/**/*test.rb'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
 end
 
 task default: :test

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -0,0 +1,121 @@
+module PrxAuth::Rails
+  class SessionsController < ApplicationController
+    include PrxAuth::Rails::Engine.routes.url_helpers
+
+    skip_before_action :authenticate!
+
+    before_action :set_nonce!, only: :show
+
+    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
+
+    def new
+      set_nonce! unless fetch_nonce.present?
+
+      config = PrxAuth::Rails.configuration
+
+      id_auth_params = {
+        client_id: config.prx_client_id,
+        nonce: fetch_nonce,
+        response_type: 'id_token token',
+        scope: 'openid apps',
+        prompt: 'necessary'
+      }
+
+      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+    end
+
+    def show
+    end
+
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path
+    end
+
+    def auth_error
+      @auth_error_message = params.require(:error)
+    end
+
+    def create
+      jwt_id_claims = id_claims
+      jwt_access_claims = access_claims
+
+      jwt_access_claims['id_token'] = jwt_id_claims.as_json
+
+      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
+                        users_match?(jwt_id_claims, jwt_access_claims)
+                      sign_in_user(jwt_access_claims)
+                      lookup_and_register_accounts_names
+                      after_sign_in_path_for(current_user)
+                    else
+                      auth_error_sessions_path(error: 'verification_failed')
+                    end
+      reset_nonce!
+
+      redirect_to result_path
+    end
+
+    private
+
+    def after_sign_in_path_for(_)
+      return super if defined?(super)
+
+      "/"
+    end
+
+    def after_sign_out_path
+      return super if defined?(super)
+
+      "https://#{id_host}/session/sign_out"
+    end
+
+    def id_claims
+      id_token = params.require('id_token')
+      validate_token(id_token)
+    end
+
+    def access_claims
+      access_token = params.require('access_token')
+      validate_token(access_token)
+    end
+
+    def reset_nonce!
+      session[ID_NONCE_SESSION_KEY] = nil
+    end
+
+    def set_nonce!
+      n = session[ID_NONCE_SESSION_KEY]
+      return n if n.present?
+
+      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+    end
+
+    def fetch_nonce
+      session[ID_NONCE_SESSION_KEY]
+    end
+
+    def valid_nonce?(nonce)
+      return false if fetch_nonce.nil?
+
+      fetch_nonce == nonce
+    end
+
+    def users_match?(claims1, claims2)
+      return false if claims1['sub'].nil? || claims2['sub'].nil?
+
+      claims1['sub'] == claims2['sub']
+    end
+
+    def validate_token(token)
+      prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
+      auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
+      auth_validator.
+        claims.
+        with_indifferent_access
+    end
+
+    def id_host
+      PrxAuth::Rails.configuration.id_host
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -0,0 +1,15 @@
+<div class='main'>
+  <section>
+    <h3>Not authorized for this application.</h3>
+
+    <p>Message was: <pre><%= @auth_error_message %></pre>
+    <% if  @auth_error_message == 'invalid_scope' %>
+      Did you add a row in the account_applications table on id.prx?
+    <% end %>
+    </p>
+
+    <p>
+      <a href="<%= new_sessions_path %>">Try logging in again</a>
+    </p>
+  </section>
+</div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -0,0 +1,38 @@
+<div style="display:none;">
+  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+      <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
+      <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= f.submit id: 'sessions-form-submit' %>
+  <% end %>
+</div>
+
+<script type='application/javascript'>
+
+  function parseURLFragment() {
+    let hashParams = {};
+    let e,
+      a = /\+/g,  // Regex for replacing addition symbol with a space
+      r = /([^&;=]+)=?([^&;]*)/g,
+      d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
+      q = window.location.hash.substring(1);
+
+    while (e = r.exec(q))
+      hashParams[d(e[1])] = d(e[2]);
+
+    return hashParams;
+  }
+
+window.addEventListener("load", () => {
+  var idToken = document.querySelector("#id-token-field");
+  var accessToken = document.querySelector("#access-token-field");
+  var submit = document.querySelector("input#sessions-form-submit[type=submit]");
+
+  var hashParams = parseURLFragment();
+
+  accessToken.value = hashParams['access_token'];
+  idToken.value = hashParams['id_token'];
+
+  submit.click();
+});
+
+</script>

data/config/routes.rb

@@ -0,0 +1,7 @@
+PrxAuth::Rails::Engine.routes.draw do
+  scope module: 'prx_auth/rails' do
+    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
+      get 'auth_error', to: 'sessions#auth_error'
+    end
+  end
+end

data/lib/prx_auth/rails.rb

@@ -1,6 +1,7 @@
 require "prx_auth/rails/version"
 require "prx_auth/rails/configuration"
 require "prx_auth/rails/railtie" if defined?(Rails)
+require "prx_auth/rails/engine" if defined?(Rails)
 
 module PrxAuth
   module Rails

data/lib/prx_auth/rails/configuration.rb

@@ -1,17 +1,28 @@
 class PrxAuth::Rails::Configuration
-  attr_accessor :install_middleware, :namespace
+  attr_accessor :install_middleware,
+                :namespace,
+                :prx_client_id,
+                :id_host
+
 
   def initialize
     @install_middleware = true
     if defined?(::Rails)
       klass = ::Rails.application.class
-      klass_name = if klass.parent_name.present?
-                     klass.parent_name
+      parent_name = if ::Rails::VERSION::MAJOR >= 6
+                      klass.module_parent_name
+                    else
+                      klass.parent_name
+                    end
+      klass_name = if parent_name.present?
+                     parent_name
                    else
                      klass.name
                    end
 
       @namespace = klass_name.underscore.intern
+      @prx_client_id = nil
+      @id_host = nil
     end
   end
-end
+end

data/lib/prx_auth/rails/engine.rb

@@ -0,0 +1,9 @@
+module PrxAuth
+  module Rails
+    class Engine < ::Rails::Engine
+      config.to_prepare do
+        ::ApplicationController.helper_method [:current_user, :account_name_for]
+      end
+    end
+  end
+end

data/lib/prx_auth/rails/ext/controller.rb

@@ -1,19 +1,96 @@
 require 'prx_auth/rails/token'
+require 'open-uri'
 
 module PrxAuth
   module Rails
     module Controller
+
+      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
+      PRX_TOKEN_SESSION_KEY = 'prx.auth'.freeze
+
       def prx_auth_token
+        rack_auth_token = env_prx_auth_token
+        return rack_auth_token if rack_auth_token.present?
+
+        session[PRX_TOKEN_SESSION_KEY] && Rack::PrxAuth::TokenData.new(session[PRX_TOKEN_SESSION_KEY])
+      end
+
+      def prx_authenticated?
+        !!prx_auth_token
+      end
+
+      def authenticate!
+        return true if current_user.present?
+
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
+
+      def current_user
+        return if prx_auth_token.nil?
+
+        PrxAuth::Rails::Token.new(prx_auth_token)
+      end
+
+      def lookup_and_register_accounts_names
+        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
+          lookup_account_names_mapping
+      end
+
+      def account_name_for(id)
+        id = id.to_i
+
+        session[PRX_ACCOUNT_NAME_MAPPING_KEY] ||= {}
+
+        name =
+          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
+            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
+          else
+            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
+          end
+
+        name = "[#{id}] Unknown Account Name" unless name.present?
+
+        name
+      end
+
+      def sign_in_user(token)
+        session[PRX_TOKEN_SESSION_KEY] = token
+      end
+
+      def sign_out_user
+        session.delete(PRX_TOKEN_SESSION_KEY)
+      end
+
+      private
+
+      def lookup_account_name_for(id)
+        id = id.to_i
+
+        res = lookup_account_names_mapping([id])
+        res[id]
+      end
+
+      def lookup_account_names_mapping(ids=current_user.resources)
+        id_host = PrxAuth::Rails.configuration.id_host
+        ids_param = ids.map(&:to_s).join(',')
+
+        options = {}
+        options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+
+        accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
+
+        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+
+        mapping
+      end
+
+      def env_prx_auth_token
         if !defined? @_prx_auth_token
           @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
         else
           @_prx_auth_token
         end
       end
-
-      def prx_authenticated?
-        !!prx_auth_token
-      end
     end
   end
 end