prx_auth-rails 1.2.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5204c5e69c74ec1fa4d6acf36b64c62700ba72d5308a020deee0526ff4dd5499
-  data.tar.gz: c5bbf5402868c36ba3e2c011eb4eb906d895e3b5237975a329099047f39a8cb3
+  metadata.gz: bf8c434fb9b4854b2dd16dd7a49a9cfbf3adcc371269e93b8fe0b1c82f7d8e44
+  data.tar.gz: 2402bb437ecfb9873dee6fc5763a7fb63005549f78e8fa6d36315a08aacc50e2
 SHA512:
-  metadata.gz: 0d3c3f2ba128a55921138c56e1c052ef6dfd030f720886daa5b77d831545ae9c093ac6c19cbc9887c41b17003142fe2c6eedbf18f6a102ce5e08ec7179556b49
-  data.tar.gz: cedc895cbe9b69bd7f87c365c7a0bf606236291e7572a7da5395c110612adf1e4164e40ed02e1f00517ee89da3e7c26563329b82bdb7026db4b563c113758fcf
+  metadata.gz: 7aac974b86051fb56c34cfc95526cff184f8301c7f109e3f2965be8b0db6bdbae79c2099ef768317354381333bb88c60de1608c1feeab0d8d075f54937590684
+  data.tar.gz: f9042ad439ac44c6d7e3d9d3813cbf7940ad421a9ef536e2e80e9bed1f4bbaf8f28cc6371f14b237a2bd303c2d53dbdc745acaae21de7498cf4b9c209a8f9948

data/.gitignore

@@ -14,6 +14,10 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/dummy/db/
+test/dummy/log/development.log
+test/dummy/log/test.log
+test/log/test.log
 tmp
 .ruby-version
 .DS_Store

data/README.md

@@ -1,6 +1,7 @@
 # PrxAuth::Rails
 
-Rails integration for next generation PRX Authorization system.
+Rails integration for next generation PRX Authorization system. This
+provides common OpenId authorization patterns used in PRX apps.
 
 ## Installation
 
@@ -14,17 +15,32 @@ And then execute:
 
 ## Usage
 
-Installing the gem in a Rails project will automatically add the appropriate Rack middleware to your Rails application and add two methods to your controllers. These methods are:
+Installing the gem in a Rails project will automatically add the
+appropriate Rack middleware to your Rails application and add two
+methods to your controllers. These methods are:
 
-* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which automatically namespaces queries. The main methods you will be interested in are `authorized?`, `globally_authorized?` and `resources`. More information can be found in PrxAuth.
+* `prx_auth_token`: returns a token (similar to PrxAuth::Token) which
+  automatically namespaces queries. The main methods you will be
+interested in are `authorized?`, `globally_authorized?` and `resources`.
+More information can be found in PrxAuth.
 
-* `prx_authenticated?`: returns whether or not this request includes a valid PrxAuth token.
+* `prx_authenticated?`: returns whether or not this request includes a
+  valid PrxAuth token.
+
+This will let set up the Rails app to be ready for HTTP requests
+associated with an OpenId access token.
 
 ### Configuration
 
-Generally, configuration is not required and the gem aims for great defaults, but you can override some settings if you need to change the default behavior.
+Generally, configuration is not required and the gem aims for great
+defaults, but you can override some settings if you need to change the
+default behavior.
+
+If you're using the Rails server-side session flow, you must supply the
+client_id via configuration.
 
-In your rails app, add a file to config/initializers called `prx_auth.rb`:
+In your rails app, add a file to config/initializers called
+`prx_auth.rb`:
 
 ```ruby
 PrxAuth::Rails.configure do |config|
@@ -36,6 +52,9 @@ PrxAuth::Rails.configure do |config|
   # as .authorized?(:my_great_ns, :foo). Has no impact on unscoped queries.
   config.namespace = :my_great_ns   # default: derived from Rails::Application name.
                                     #          e.g. class Feeder < Rails::Application => :feeder
+
+  # Set up the PRX OpenID client_id if using the backend rails sessions flow.
+  config.client_id = '<some client id>'
 end
 ```
 

data/Rakefile

@@ -1,10 +1,18 @@
-require 'bundler/gem_tasks'
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
 require 'rake'
-require 'rake/testtask'
+require "rake/testtask"
 
-Rake::TestTask.new do |t|
+Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
-  t.pattern = 'test/**/*test.rb'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
 end
 
 task default: :test

data/app/assets/config/prx_auth-rails_manifest.js

@@ -0,0 +1,3 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css
+//= link_tree ../images

data/app/assets/images/prx_auth-rails/user.svg

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 51 51" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;">
+    <path d="M51,25.5C51,11.44 39.56,0 25.5,0C11.44,0 0,11.44 0,25.5C0,32.927 3.194,39.621 8.277,44.285L8.253,44.306L9.08,45.003C9.134,45.049 9.192,45.086 9.246,45.13C9.685,45.495 10.141,45.841 10.604,46.175C10.755,46.284 10.905,46.392 11.058,46.498C11.553,46.839 12.061,47.163 12.58,47.47C12.693,47.537 12.807,47.602 12.922,47.666C13.49,47.99 14.07,48.295 14.665,48.575C14.708,48.596 14.753,48.614 14.796,48.635C16.734,49.535 18.801,50.196 20.964,50.586C21.02,50.597 21.077,50.607 21.134,50.617C21.806,50.733 22.485,50.826 23.172,50.888C23.255,50.895 23.339,50.9 23.423,50.907C24.107,50.964 24.799,51 25.5,51C26.195,51 26.88,50.964 27.56,50.909C27.647,50.902 27.733,50.897 27.819,50.89C28.501,50.828 29.174,50.738 29.839,50.624C29.896,50.613 29.955,50.603 30.012,50.592C32.142,50.21 34.18,49.564 36.092,48.686C36.163,48.654 36.234,48.623 36.305,48.59C36.877,48.321 37.436,48.031 37.984,47.722C38.12,47.645 38.256,47.567 38.391,47.487C38.89,47.194 39.38,46.887 39.857,46.56C40.029,46.443 40.196,46.32 40.366,46.198C40.773,45.905 41.173,45.602 41.561,45.286C41.648,45.217 41.74,45.156 41.825,45.085L42.673,44.376L42.648,44.355C47.776,39.689 51,32.965 51,25.5ZM1.855,25.5C1.855,12.462 12.462,1.855 25.5,1.855C38.538,1.855 49.145,12.462 49.145,25.5C49.145,32.526 46.062,38.843 41.181,43.177C40.908,42.988 40.634,42.82 40.353,42.679L32.502,38.754C31.797,38.401 31.359,37.693 31.359,36.905L31.359,34.164C31.541,33.939 31.733,33.685 31.932,33.406C32.948,31.971 33.763,30.374 34.357,28.656C35.532,28.097 36.291,26.927 36.291,25.606L36.291,22.319C36.291,21.515 35.996,20.735 35.468,20.122L35.468,15.794C35.516,15.312 35.687,12.597 33.722,10.357C32.013,8.406 29.247,7.418 25.5,7.418C21.753,7.418 18.987,8.406 17.278,10.356C15.313,12.596 15.484,15.313 15.532,15.793L15.532,20.121C15.005,20.734 14.709,21.514 14.709,22.318L14.709,25.605C14.709,26.626 15.167,27.578 15.952,28.221C16.703,31.163 18.249,33.39 18.82,34.145L18.82,36.828C18.82,37.585 18.407,38.281 17.742,38.644L10.41,42.643C10.177,42.77 9.945,42.919 9.713,43.085C4.892,38.753 1.855,32.475 1.855,25.5Z" style="fill:white;fill-rule:nonzero;"/>
+</svg>

data/app/assets/javascripts/prx_auth-rails/user_widget.js.erb

@@ -0,0 +1,44 @@
+// https://stackoverflow.com/questions/8578617/inject-a-script-tag-with-remote-src-and-wait-for-it-to-execute
+function prxInjectScript(src, callback) {
+  const script = document.createElement('script');
+
+  script.type = 'text/javascript';
+  script.async = false;
+  script.src = src;
+
+  script.onload = function () { script.onload = null; callback(); }
+
+  document.getElementsByTagName('head')[0].appendChild(script);
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+  const idHost = 'https://<%= PrxAuth::Rails.configuration.id_host %>';
+  const scriptUrl = idHost + '/widget.js';
+
+  prxInjectScript(scriptUrl, function () {
+    const signIn = new PRXSignIn(idHost);
+
+    signIn.signedIn(function (prx) {
+      const widget = document.getElementById('prx-user-widget');
+      const account = document.getElementById('prx-user-widget-menu-account');
+
+      if (!prx.userinfo) {
+        // Not logged in
+        widget.classList.add('no-user-info');
+
+        const url = idHost + '/session?return_to=' + encodeURIComponent(window.location);
+
+        account.innerHTML = '<a class=sign-in href="' + url + '">Sign in</a>';
+      } else {
+        // Logged in
+        widget.classList.add('user-info');
+
+        const account = document.getElementById('prx-user-widget-menu-account');
+        account.innerText = prx.userinfo.email;
+
+        signIn.listApps('prx-user-widget-menu-apps');
+      }
+    });
+  });
+});
+

data/app/assets/stylesheets/prx_auth-rails/user_widget.css

@@ -0,0 +1,69 @@
+#prx-user-widget {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  justify-content: center;
+  padding: 0 20px;
+  position: absolute;
+  right: 0;
+  transition-property: opacity;
+  transition-duration: 0.2s;
+}
+@media (max-width: ) {
+  #prx-user-widget {
+    height: auto;
+    top: 0;
+  }
+}
+#prx-user-widget:hover {
+}
+#prx-user-widget:hover .user-icon {
+  opacity: 1;
+}
+#prx-user-widget:hover #prx-user-widget-menu {
+  display: block;
+}
+#prx-user-widget .user-icon {
+  cursor: pointer;
+  height: 2em;
+  opacity: 0.7;
+  width: 2em;
+}
+#prx-user-widget #prx-user-widget-menu {
+  background-color: #1a1a1a;
+  display: none;
+  right: 0;
+  padding: 10px 20px;
+  position: absolute;
+  top: 100%;
+  z-index: 999;
+  display: none;
+}
+
+#prx-user-widget #prx-user-widget-menu h1 {
+  color: white;
+  font-size: .9em;
+  font-weight: 700;
+}
+
+#prx-user-widget #prx-user-widget-menu-apps {
+  padding: 0;
+}
+#prx-user-widget #prx-user-widget-menu-apps ul {
+  border-top: 1px solid #ddd;
+  padding: 15px 0 0;
+}
+
+#prx-user-widget #prx-user-widget-menu-apps ul li a {
+  display: block;
+  font-weight: normal;
+  opacity: 0.7;
+  padding: 5px 0;
+  text-transform: none;
+}
+#prx-user-widget #prx-user-widget-menu-apps ul li a:hover {
+  opacity: 1;
+}
+.prx-home #prx-user-widget.loaded:hover {
+  background: transparent;
+}

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -0,0 +1,121 @@
+module PrxAuth::Rails
+  class SessionsController < ApplicationController
+    include PrxAuth::Rails::Engine.routes.url_helpers
+
+    skip_before_action :authenticate!
+
+    before_action :set_nonce!, only: :show
+
+    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
+
+    def new
+      set_nonce! unless fetch_nonce.present?
+
+      config = PrxAuth::Rails.configuration
+
+      id_auth_params = {
+        client_id: config.prx_client_id,
+        nonce: fetch_nonce,
+        response_type: 'id_token token',
+        scope: 'openid apps',
+        prompt: 'necessary'
+      }
+
+      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+    end
+
+    def show
+    end
+
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path
+    end
+
+    def auth_error
+      @auth_error_message = params.require(:error)
+    end
+
+    def create
+      jwt_id_claims = id_claims
+      jwt_access_claims = access_claims
+
+      jwt_access_claims['id_token'] = jwt_id_claims.as_json
+
+      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
+                        users_match?(jwt_id_claims, jwt_access_claims)
+                      sign_in_user(jwt_access_claims)
+                      lookup_and_register_accounts_names
+                      after_sign_in_path_for(current_user)
+                    else
+                      auth_error_sessions_path(error: 'verification_failed')
+                    end
+      reset_nonce!
+
+      redirect_to result_path
+    end
+
+    private
+
+    def after_sign_in_path_for(_)
+      return super if defined?(super)
+
+      "/"
+    end
+
+    def after_sign_out_path
+      return super if defined?(super)
+
+      "https://#{id_host}/session/sign_out"
+    end
+
+    def id_claims
+      id_token = params.require('id_token')
+      validate_token(id_token)
+    end
+
+    def access_claims
+      access_token = params.require('access_token')
+      validate_token(access_token)
+    end
+
+    def reset_nonce!
+      session[ID_NONCE_SESSION_KEY] = nil
+    end
+
+    def set_nonce!
+      n = session[ID_NONCE_SESSION_KEY]
+      return n if n.present?
+
+      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+    end
+
+    def fetch_nonce
+      session[ID_NONCE_SESSION_KEY]
+    end
+
+    def valid_nonce?(nonce)
+      return false if fetch_nonce.nil?
+
+      fetch_nonce == nonce
+    end
+
+    def users_match?(claims1, claims2)
+      return false if claims1['sub'].nil? || claims2['sub'].nil?
+
+      claims1['sub'] == claims2['sub']
+    end
+
+    def validate_token(token)
+      prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
+      auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
+      auth_validator.
+        claims.
+        with_indifferent_access
+    end
+
+    def id_host
+      PrxAuth::Rails.configuration.id_host
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -0,0 +1,15 @@
+<div class='main'>
+  <section>
+    <h3>Not authorized for this application.</h3>
+
+    <p>Message was: <pre><%= @auth_error_message %></pre>
+    <% if  @auth_error_message == 'invalid_scope' %>
+      Did you add a row in the account_applications table on id.prx?
+    <% end %>
+    </p>
+
+    <p>
+      <a href="<%= new_sessions_path %>">Try logging in again</a>
+    </p>
+  </section>
+</div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -0,0 +1,38 @@
+<div style="display:none;">
+  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+      <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
+      <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= f.submit id: 'sessions-form-submit' %>
+  <% end %>
+</div>
+
+<script type='application/javascript'>
+
+  function parseURLFragment() {
+    let hashParams = {};
+    let e,
+      a = /\+/g,  // Regex for replacing addition symbol with a space
+      r = /([^&;=]+)=?([^&;]*)/g,
+      d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
+      q = window.location.hash.substring(1);
+
+    while (e = r.exec(q))
+      hashParams[d(e[1])] = d(e[2]);
+
+    return hashParams;
+  }
+
+window.addEventListener("load", () => {
+  var idToken = document.querySelector("#id-token-field");
+  var accessToken = document.querySelector("#access-token-field");
+  var submit = document.querySelector("input#sessions-form-submit[type=submit]");
+
+  var hashParams = parseURLFragment();
+
+  accessToken.value = hashParams['access_token'];
+  idToken.value = hashParams['id_token'];
+
+  submit.click();
+});
+
+</script>

data/config/initializers/assets.rb

@@ -0,0 +1 @@
+Rails.application.config.assets.precompile << %w(prx_auth-rails_manifest.js)

data/config/routes.rb

@@ -0,0 +1,7 @@
+PrxAuth::Rails::Engine.routes.draw do
+  scope module: 'prx_auth/rails' do
+    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
+      get 'auth_error', to: 'sessions#auth_error'
+    end
+  end
+end

data/lib/prx_auth/rails.rb

@@ -1,6 +1,7 @@
 require "prx_auth/rails/version"
 require "prx_auth/rails/configuration"
 require "prx_auth/rails/railtie" if defined?(Rails)
+require "prx_auth/rails/engine" if defined?(Rails)
 
 module PrxAuth
   module Rails

data/lib/prx_auth/rails/configuration.rb

@@ -1,17 +1,28 @@
 class PrxAuth::Rails::Configuration
-  attr_accessor :install_middleware, :namespace
+  attr_accessor :install_middleware,
+                :namespace,
+                :prx_client_id,
+                :id_host
+
 
   def initialize
     @install_middleware = true
     if defined?(::Rails)
       klass = ::Rails.application.class
-      klass_name = if klass.parent_name.present?
-                     klass.parent_name
+      parent_name = if ::Rails::VERSION::MAJOR >= 6
+                      klass.module_parent_name
+                    else
+                      klass.parent_name
+                    end
+      klass_name = if parent_name.present?
+                     parent_name
                    else
                      klass.name
                    end
 
       @namespace = klass_name.underscore.intern
+      @prx_client_id = nil
+      @id_host = nil
     end
   end
-end
+end