prx_auth-rails 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5204c5e69c74ec1fa4d6acf36b64c62700ba72d5308a020deee0526ff4dd5499
-  data.tar.gz: c5bbf5402868c36ba3e2c011eb4eb906d895e3b5237975a329099047f39a8cb3
+  metadata.gz: 3405e4e72d2c39585111bef4fca339a73ce11ec86a2c288f5c82d8934c0620fe
+  data.tar.gz: 3450063f4c4fdae2464f755222fafee08c627eda3aa8fee1d267db1474db58de
 SHA512:
-  metadata.gz: 0d3c3f2ba128a55921138c56e1c052ef6dfd030f720886daa5b77d831545ae9c093ac6c19cbc9887c41b17003142fe2c6eedbf18f6a102ce5e08ec7179556b49
-  data.tar.gz: cedc895cbe9b69bd7f87c365c7a0bf606236291e7572a7da5395c110612adf1e4164e40ed02e1f00517ee89da3e7c26563329b82bdb7026db4b563c113758fcf
+  metadata.gz: edf33f5cf4bc105818bb069554506f0b2d9ef5b8bb18cd1602b2ceb6384991804b5b3268c6bd5c519c08e8503df51c132a9bec045f13995c1d55088194fff489
+  data.tar.gz: 4aa62706ee892c2335756e2c3ae61171b77acc69bfe0ec06433449726f8e884cee4af2031e55e418c6780e9aedc8bfb1c78359c072c089389422a2d4aa15c95b

data/.gitignore

@@ -14,6 +14,10 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/dummy/db/
+test/dummy/log/development.log
+test/dummy/log/test.log
+test/log/test.log
 tmp
 .ruby-version
 .DS_Store

data/README.md

@@ -1,6 +1,7 @@
 # PrxAuth::Rails
 
-Rails integration for next generation PRX Authorization system.
+Rails integration for next generation PRX Authorization system. This
+provides common OpenId authorization patterns used in PRX apps.
 
 ## Installation
 
@@ -14,17 +15,32 @@ And then execute:
 
 ## Usage
 
-Installing the gem in a Rails project will automatically add the appropriate Rack middleware to your Rails application and add two methods to your controllers. These methods are:
+Installing the gem in a Rails project will automatically add the
+appropriate Rack middleware to your Rails application and add two
+methods to your controllers. These methods are:
 
-* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which automatically namespaces queries. The main methods you will be interested in are `authorized?`, `globally_authorized?` and `resources`. More information can be found in PrxAuth.
+* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which
+  automatically namespaces queries. The main methods you will be
+interested in are `authorized?`, `globally_authorized?` and `resources`.
+More information can be found in PrxAuth.
 
-* `prx_authenticated?`: returns whether or not this request includes a valid PrxAuth token.
+* `prx_authenticated?`: returns whether or not this request includes a
+  valid PrxAuth token.
+
+This will let set up the Rails app to be ready for HTTP requests
+associated with an OpenId access token.
 
 ### Configuration
 
-Generally, configuration is not required and the gem aims for great defaults, but you can override some settings if you need to change the default behavior.
+Generally, configuration is not required and the gem aims for great
+defaults, but you can override some settings if you need to change the
+default behavior.
+
+If you're using the Rails server-side session flow, you must supply the
+client_id via configuration.
 
-In your rails app, add a file to config/initializers called `prx_auth.rb`:
+In your rails app, add a file to config/initializers called
+`prx_auth.rb`:
 
 ```ruby
 PrxAuth::Rails.configure do |config|
@@ -36,6 +52,9 @@ PrxAuth::Rails.configure do |config|
   # as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
   config.namespace = :my_great_ns   # default: derived from Rails::Application name.
                                     #          e.g. class Feeder < Rails::Application => :feeder
+
+  # Set up the PRX OpenID client_id if using the backend rails sessions flow.
+  config.client_id = '<some client id>'
 end
 ```
 

data/Rakefile

@@ -1,10 +1,18 @@
-require 'bundler/gem_tasks'
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
 require 'rake'
-require 'rake/testtask'
+require "rake/testtask"
 
-Rake::TestTask.new do |t|
+Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
-  t.pattern = 'test/**/*test.rb'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
 end
 
 task default: :test

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -0,0 +1,108 @@
+require 'open-uri'
+
+module PrxAuth::Rails
+  class SessionsController < ApplicationController
+    include PrxAuth::Rails::Engine.routes.url_helpers
+
+    skip_before_action :authenticate!
+
+    before_action :set_nonce!, only: :show
+
+    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
+
+    def new
+      set_nonce! unless fetch_nonce.present?
+
+      config = PrxAuth::Rails.configuration
+
+      id_auth_params = {
+        client_id: config.prx_client_id,
+        nonce: fetch_nonce,
+        response_type: 'id_token token',
+        scope: 'openid apps',
+        prompt: 'necessary'
+      }
+
+      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+    end
+
+    def show
+    end
+
+    def auth_error
+      @auth_error_message = params.require(:error)
+    end
+
+    def create
+      jwt_id_claims = id_claims
+      jwt_access_claims = access_claims
+
+      jwt_access_claims['id_token'] = jwt_id_claims.as_json
+
+      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
+                        users_match?(jwt_id_claims, jwt_access_claims)
+                      sign_in_user(jwt_access_claims)
+                      after_sign_in_path_for(current_user)
+                    else
+                      auth_error_sessions_path(error: 'verification_failed')
+                    end
+      reset_nonce!
+
+      redirect_to result_path
+    end
+
+    private
+
+    def after_sign_in_path_for(_)
+      return super if defined?(super)
+
+      "/"
+    end
+
+    def id_claims
+      id_token = params.require('id_token')
+      validate_token(id_token)
+    end
+
+    def access_claims
+      access_token = params.require('access_token')
+      validate_token(access_token)
+    end
+
+    def reset_nonce!
+      session[ID_NONCE_SESSION_KEY] = nil
+    end
+
+    def set_nonce!
+      n = session[ID_NONCE_SESSION_KEY]
+      return n if n.present?
+
+      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+    end
+
+    def fetch_nonce
+      session[ID_NONCE_SESSION_KEY]
+    end
+
+    def valid_nonce?(nonce)
+      return false if fetch_nonce.nil?
+
+      fetch_nonce == nonce
+    end
+
+    def users_match?(claims1, claims2)
+      return false if claims1['sub'].nil? || claims2['sub'].nil?
+
+      claims1['sub'] == claims2['sub']
+    end
+
+    def validate_token(token)
+      id_host = PrxAuth::Rails.configuration.id_host
+      prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
+      auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
+      auth_validator.
+        claims.
+        with_indifferent_access
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -0,0 +1,15 @@
+<div class='main'>
+  <section>
+    <h3>Not authorized for this application.</h3>
+
+    <p>Message was: <pre><%= @auth_error_message %></pre>
+    <% if  @auth_error_message == 'invalid_scope' %>
+      Did you add a row in the account_applications table on id.prx?
+    <% end %>
+    </p>
+
+    <p>
+      <a href="<%= new_sessions_path %>">Try logging in again</a>
+    </p>
+  </section>
+</div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -0,0 +1,38 @@
+<div style="display:none;">
+  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+      <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
+      <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= f.submit id: 'sessions-form-submit' %>
+  <% end %>
+</div>
+
+<script type='application/javascript'>
+
+  function parseURLFragment() {
+    let hashParams = {};
+    let e,
+      a = /\+/g,  // Regex for replacing addition symbol with a space
+      r = /([^&;=]+)=?([^&;]*)/g,
+      d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
+      q = window.location.hash.substring(1);
+
+    while (e = r.exec(q))
+      hashParams[d(e[1])] = d(e[2]);
+
+    return hashParams;
+  }
+
+window.addEventListener("load", () => {
+  var idToken = document.querySelector("#id-token-field");
+  var accessToken = document.querySelector("#access-token-field");
+  var submit = document.querySelector("input#sessions-form-submit[type=submit]");
+
+  var hashParams = parseURLFragment();
+
+  accessToken.value = hashParams['access_token'];
+  idToken.value = hashParams['id_token'];
+
+  submit.click();
+});
+
+</script>

data/config/routes.rb

@@ -0,0 +1,7 @@
+PrxAuth::Rails::Engine.routes.draw do
+  scope module: 'prx_auth/rails' do
+    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
+      get 'auth_error', to: 'sessions#auth_error'
+    end
+  end
+end

data/lib/prx_auth/rails.rb

@@ -1,6 +1,7 @@
 require "prx_auth/rails/version"
 require "prx_auth/rails/configuration"
 require "prx_auth/rails/railtie" if defined?(Rails)
+require "prx_auth/rails/engine" if defined?(Rails)
 
 module PrxAuth
   module Rails

data/lib/prx_auth/rails/configuration.rb

@@ -1,17 +1,28 @@
 class PrxAuth::Rails::Configuration
-  attr_accessor :install_middleware, :namespace
+  attr_accessor :install_middleware,
+                :namespace,
+                :prx_client_id,
+                :id_host
+
 
   def initialize
     @install_middleware = true
     if defined?(::Rails)
       klass = ::Rails.application.class
-      klass_name = if klass.parent_name.present?
-                     klass.parent_name
+      parent_name = if ::Rails::VERSION::MAJOR >= 6
+                      klass.module_parent_name
+                    else
+                      klass.parent_name
+                    end
+      klass_name = if parent_name.present?
+                     parent_name
                    else
                      klass.name
                    end
 
       @namespace = klass_name.underscore.intern
+      @prx_client_id = nil
+      @id_host = nil
     end
   end
-end
+end

data/lib/prx_auth/rails/engine.rb

@@ -0,0 +1,5 @@
+module PrxAuth
+  module Rails
+    class Engine < ::Rails::Engine; end
+  end
+end

data/lib/prx_auth/rails/ext/controller.rb

@@ -4,16 +4,41 @@ module PrxAuth
   module Rails
     module Controller
       def prx_auth_token
+        rack_auth_token = env_prx_auth_token
+        return rack_auth_token if rack_auth_token.present?
+
+        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
+      end
+
+      def prx_authenticated?
+        !!prx_auth_token
+      end
+
+      def authenticate!
+        return true if current_user.present?
+
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
+
+      def current_user
+        return if prx_auth_token.nil?
+
+        PrxAuth::Rails::Token.new(prx_auth_token)
+      end
+
+      def sign_in_user(token)
+        session['prx.auth'] = token
+      end
+
+      private
+
+      def env_prx_auth_token
         if !defined? @_prx_auth_token
           @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
         else
           @_prx_auth_token
         end
       end
-
-      def prx_authenticated?
-        !!prx_auth_token
-      end
     end
   end
 end

data/lib/prx_auth/rails/token.rb

@@ -28,4 +28,8 @@ class PrxAuth::Rails::Token
   def user_id
     @token_data.user_id
   end
-end
+
+  def authorized_account_ids(scope)
+    @token_data.authorized_account_ids(scope)
+  end
+end

data/lib/prx_auth/rails/version.rb

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "1.2.0"
+    VERSION = "1.3.0"
   end
 end

data/prx_auth-rails.gemspec

@@ -29,7 +29,9 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'coveralls', '~> 0'
   spec.add_development_dependency 'guard'
   spec.add_development_dependency 'guard-minitest'
-  spec.add_development_dependency 'rails'
+  spec.add_development_dependency "rails", "~> 6.1.0"
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'sqlite3'
 
 
 

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_tree ../images
+//= link_directory ../stylesheets .css

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/test/dummy/app/channels/application_cable/channel.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Channel < ActionCable::Channel::Base
+  end
+end

data/test/dummy/app/channels/application_cable/connection.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+  end
+end