publishing_platform_sso 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9625f245d4f4954072d35c039d5534cfce0e6c518c55346a33f20a05bf53dab7
+  data.tar.gz: a05808b7b7fa6a98599a7b30e842f433115d8228e9d6595c6aa8dec872cdb309
+SHA512:
+  metadata.gz: e5f0149ff796a41ca14dee9babee288513ba9da2de5ea72c0423a02584a7b2ab76e49e60799d59838229bc9f2b129b8d9f81a22eace9ab5f1f5fb5f9af1aed77
+  data.tar.gz: fab81cc20834dec39d953adfe35d525ddd9e497a00ba55cf4896a03edc5dcbc484cdfce05c496439b1793f4115d9d2150bf3db839534160c5d273de9997f5c1b

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in publishing_platform_sso.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"

data/README.md

@@ -0,0 +1,156 @@
+# publishing_platform_sso
+
+This gem provides everything needed to integrate an application with [Signon](https://github.com/publishing-platform/signon). It's a wrapper around [OmniAuth](https://github.com/intridea/omniauth) that adds a 'strategy' for oAuth2 integration against Signon,
+and the necessary controller to support that request flow.
+
+
+## Usage
+
+### Integration with a Rails 4+ app
+
+- Include the gem in your Gemfile:
+
+  ```ruby
+  gem 'publishing_platform_sso'
+  ```
+
+- Create a "users" table in the database.  Example migration:
+
+  ```ruby
+  class CreateUsers < ActiveRecord::Migration[7.1]
+    def change
+      create_table :users do |t|
+      t.string  :name
+      t.string  :email
+      t.string  :uid
+      t.string  :organisation_slug
+      t.string  :organisation_content_id
+      t.string  :app_name # api only
+      t.text    :permissions      
+      t.boolean :disabled, default: false
+      
+      t.timestamps
+      end
+    end
+  end
+  ```
+
+- Create a User model with the following:
+
+  ```ruby
+  serialize :permissions, Array
+  ```
+
+- Add to your `ApplicationController`:
+
+  ```ruby
+  include PublishingPlatform::SSO::ControllerMethods
+  before_action :authenticate_user!
+  ```
+
+### Securing your application
+
+[PublishingPlatform::SSO::ControllerMethods](/lib/publishing_platform_sso/controller_methods.rb) provides some useful methods for your application controllers.
+
+To make sure that only people with a signon account and permission to use your app are allowed in use `authenticate_user!`.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include PublishingPlatform::SSO::ControllerMethods
+  before_action :authenticate_user!
+  # ...
+end
+```
+
+You can refine authorisation to specific controller actions based on permissions using `authorise_user!`. All permissions are assigned via Signon.
+
+```ruby
+class PublicationsController < ActionController::Base
+  include PublishingPlatform::SSO::ControllerMethods
+  before_action :authorise_for_editing!, except: [:show, :index]
+  # ...
+private
+  def authorise_for_editing!
+    authorise_user!('edit_publications')
+  end
+end
+```
+
+`authorise_user!` can be configured to check for multiple permissions:
+
+```ruby
+# fails unless the user has at least one of these permissions
+authorise_user!(any_of: %w(edit create))
+
+# fails unless the user has both of these permissions
+authorise_user!(all_of: %w(edit create))
+```
+
+The signon application makes sure that only users who have been granted access to the application can access it (e.g. they have the `signin` permission for your app).
+
+### Authorisation for API Users
+
+In addition to the single-sign-on strategy, this gem also allows authorisation
+via a "bearer token". This is used by publishing applications to be authorised
+as an API user.
+
+To authorise with a bearer token, a request has to be made with the header:
+
+```
+Authorization: Bearer your-token-here
+```
+
+To avoid making these requests for each incoming request, this gem will [automatically cache a successful response](/lib/publishing_platform_sso/bearer_token.rb), using the [Rails cache](/lib/publishing_platform_sso/railtie.rb).
+
+If you are using a Rails app in
+[api_only](http://guides.rubyonrails.org/api_app.html) mode this gem will
+automatically disable the oauth layers which use session persistence. You can
+configure this gem to be in api_only mode (or not) with:
+
+```ruby
+PublishingPlatform::SSO.config do |config|
+  # ...
+  # Only support bearer token authentication and send responses in JSON
+  config.api_only = true
+end
+```
+
+### Use in production mode
+
+To use publishing_platform_sso in production you will need to setup the following environment variables, which we look for in [the config](/lib/publishing_platform_sso/config.rb). You will need to have admin access to Signon to get these.
+
+- PUBLISHING_PLATFORM_SSO_OAUTH_ID
+- PUBLISHING_PLATFORM_SSO_OAUTH_SECRET
+
+### Use in development mode
+
+In development, you generally want to be able to run an application without needing to run your own SSO server as well. publishing_platform_sso facilitates this by using a 'mock' mode in development. Mock mode loads an arbitrary user from the local application's user tables:
+
+```ruby
+PublishingPlatform::SSO.test_user || PublishingPlatform::SSO::Config.user_klass.first
+```
+
+To make it use a real strategy (e.g. if you're testing an app against the signon server), set the following environment variable when you run your app:
+
+```
+PUBLISHING_PLATFORM_SSO_STRATEGY=real
+```
+
+### Extra permissions for api users
+
+By default the mock strategies will create a user with `signin` permission.
+
+If your application needs different or extra permissions for access, you can specify this by adding the following to your config:
+
+```ruby
+PublishingPlatform::SSO.config do |config|
+  # other config here
+  config.additional_mock_permissions_required = ["array", "of", "permissions"]
+end
+```
+
+The mock bearer token will then ensure that the dummy api user has the required permission.
+
+## Licence
+
+[MIT License](LICENSE)

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/app/controllers/authentications_controller.rb

@@ -0,0 +1,17 @@
+class AuthenticationsController < ActionController::Base
+  include PublishingPlatform::SSO::ControllerMethods
+
+  before_action :authenticate_user!, only: :callback
+  layout false
+
+  def callback
+    redirect_to session["return_to"] || "/"
+  end
+
+  def failure; end
+
+  def sign_out
+    logout
+    redirect_to "#{PublishingPlatform::SSO::Config.oauth_root_url}/users/sign_out", allow_other_host: true
+  end
+end

data/app/views/authentications/failure.html.erb

@@ -0,0 +1,3 @@
+<h1>Error</h1>
+
+<p>There was a problem logging you into the application. Please <%= link_to "try again", "/auth/publishing_platform" %>.</p>

data/app/views/authorisations/unauthorised.html.erb

@@ -0,0 +1,5 @@
+<h1><%= message %></h1>
+
+<p>Please contact your Delivery Manager or main Publishing Platform contact if you think you should be able to do what you tried to do.</p>
+
+<p>If you think something is wrong, try <%= link_to "signing out", publishing_platform_sign_out_path %> and then back in</p>

data/config/routes.rb

@@ -0,0 +1,7 @@
+Rails.application.routes.draw do
+  next if PublishingPlatform::SSO::Config.api_only
+
+  get "/auth/publishing_platform/callback", to: "authentications#callback", as: :publishing_platform_sign_in
+  get "/auth/publishing_platform/sign_out", to: "authentications#sign_out", as: :publishing_platform_sign_out
+  get "/auth/failure",                      to: "authentications#failure",  as: :auth_failure
+end

data/lib/omniauth/strategies/publishing_platform.rb

@@ -0,0 +1,28 @@
+require "omniauth-oauth2"
+require "json"
+
+class OmniAuth::Strategies::PublishingPlatform < OmniAuth::Strategies::OAuth2
+  uid { user["uid"] }
+
+  option :pkce, true
+
+  info do
+    {
+      name: user["name"],
+      email: user["email"],
+    }
+  end
+
+  extra do
+    {
+      user:,
+      permissions: user["permissions"],
+      organisation_slug: user["organisation_slug"],
+      organisation_content_id: user["organisation_content_id"],
+    }
+  end
+
+  def user
+    @user ||= JSON.parse(access_token.get("/user.json?client_id=#{CGI.escape(options.client_id)}").body).fetch("user")
+  end
+end

data/lib/publishing_platform_sso/api_access.rb

@@ -0,0 +1,9 @@
+module PublishingPlatform
+  module SSO
+    class ApiAccess
+      def self.api_call?(env)
+        env["HTTP_AUTHORIZATION"].to_s =~ /\ABearer /
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/authorise_user.rb

@@ -0,0 +1,49 @@
+module PublishingPlatform
+  module SSO
+    class AuthoriseUser
+      def self.call(...) = new(...).call
+
+      def initialize(current_user, permissions)
+        @current_user = current_user
+        @permissions = permissions
+      end
+
+      def call
+        case permissions
+        when String
+          unless current_user.has_permission?(permissions)
+            raise PublishingPlatform::SSO::PermissionDeniedError, "Sorry, you don't seem to have the #{permissions} permission for this app."
+          end
+        when Hash
+          raise ArgumentError, "Must be either `any_of` or `all_of`" unless permissions.keys.size == 1
+
+          if permissions[:any_of]
+            authorise_user_with_at_least_one_of_permissions!(permissions[:any_of])
+          elsif permissions[:all_of]
+            authorise_user_with_all_permissions!(permissions[:all_of])
+          else
+            raise ArgumentError, "Must be either `any_of` or `all_of`"
+          end
+        end
+      end
+
+    private
+
+      attr_reader :current_user, :permissions
+
+      def authorise_user_with_at_least_one_of_permissions!(permissions)
+        if permissions.none? { |permission| current_user.has_permission?(permission) }
+          raise PublishingPlatform::SSO::PermissionDeniedError,
+                "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
+        end
+      end
+
+      def authorise_user_with_all_permissions!(permissions)
+        unless permissions.all? { |permission| current_user.has_permission?(permission) }
+          raise PublishingPlatform::SSO::PermissionDeniedError,
+                "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
+        end
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/bearer_token.rb

@@ -0,0 +1,75 @@
+require "json"
+require "oauth2"
+
+module PublishingPlatform
+  module SSO
+    module BearerToken
+      def self.locate(token_string)
+        user_details = PublishingPlatform::SSO::Config.cache.fetch(["api-user-cache", token_string], expires_in: 5.minutes) do
+          access_token = OAuth2::AccessToken.new(oauth_client, token_string)
+          response_body = access_token.get("/user.json?client_id=#{CGI.escape(PublishingPlatform::SSO::Config.oauth_id)}").body
+          omniauth_style_response(response_body)
+        end
+
+        PublishingPlatform::SSO::Config.user_klass.find_for_oauth(user_details)
+      rescue OAuth2::Error
+        nil
+      end
+
+      def self.oauth_client
+        @oauth_client ||= OAuth2::Client.new(
+          PublishingPlatform::SSO::Config.oauth_id,
+          PublishingPlatform::SSO::Config.oauth_secret,
+          site: PublishingPlatform::SSO::Config.oauth_root_url,
+          connection_opts: {
+            headers: {
+              user_agent: "publishing_platform_sso/#{PublishingPlatform::SSO::VERSION} (#{ENV['PUBLISHING_PLATFORM_APP_NAME']})",
+            },
+          }.merge(PublishingPlatform::SSO::Config.connection_opts),
+        )
+      end
+
+      # Our User code assumes we're getting our user data back
+      # via omniauth and so receiving it in omniauth's preferred
+      # structure. Here we're addressing signon directly so
+      # we need to transform the response ourselves.
+      def self.omniauth_style_response(response_body)
+        input = JSON.parse(response_body).fetch("user")
+
+        {
+          "uid" => input["uid"],
+          "info" => {
+            "email" => input["email"],
+            "name" => input["name"],
+          },
+          "extra" => {
+            "user" => {
+              "permissions" => input["permissions"],
+              "organisation_slug" => input["organisation_slug"],
+              "organisation_content_id" => input["organisation_content_id"],
+            },
+          },
+        }
+      end
+    end
+
+    module MockBearerToken
+      def self.locate(_token_string)
+        dummy_api_user = PublishingPlatform::SSO.test_user || PublishingPlatform::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
+        if dummy_api_user.nil?
+          dummy_api_user = PublishingPlatform::SSO::Config.user_klass.new
+          dummy_api_user.email = "dummyapiuser@domain.com"
+          dummy_api_user.uid = rand(10_000).to_s
+          dummy_api_user.name = "Dummy API user created by publishing_platform_sso"
+        end
+
+        unless dummy_api_user.has_all_permissions?(PublishingPlatform::SSO::Config.permissions_for_dummy_api_user)
+          dummy_api_user.permissions = PublishingPlatform::SSO::Config.permissions_for_dummy_api_user
+        end
+
+        dummy_api_user.save!
+        dummy_api_user
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/config.rb

@@ -0,0 +1,64 @@
+require "active_support/cache/null_store"
+
+module PublishingPlatform
+  module SSO
+    module Config
+      # rubocop:disable Style/ClassVars
+
+      # Name of the User class
+      mattr_accessor :user_model
+      @@user_model = "User"
+
+      # OAuth ID
+      mattr_accessor :oauth_id
+      @@oauth_id = ENV.fetch("PUBLISHING_PLATFORM_SSO_OAUTH_ID", "test-oauth-id")
+
+      # OAuth Secret
+      mattr_accessor :oauth_secret
+      @@oauth_secret = ENV.fetch("PUBLISHING_PLATFORM_SSO_OAUTH_SECRET", "test-oauth-secret")
+
+      # Location of the OAuth server
+      mattr_accessor :oauth_root_url
+      @@oauth_root_url = "http://signon.dev.publishing-platform.co.uk" # Plek.new.external_url_for("signon") # TODO: need to implement this functionality
+
+      mattr_accessor :auth_valid_for
+      @@auth_valid_for = 20 * 3600
+
+      mattr_accessor :cache
+
+      mattr_accessor :api_only
+
+      mattr_accessor :intercept_401_responses
+      @@intercept_401_responses = true
+
+      mattr_accessor :additional_mock_permissions_required
+
+      mattr_accessor :connection_opts
+      @@connection_opts = {
+        request: {
+          open_timeout: 5,
+        },
+      }
+
+      def self.permissions_for_dummy_api_user
+        %w[signin].push(*additional_mock_permissions_required)
+      end
+
+      def self.user_klass
+        user_model.to_s.constantize
+      end
+
+      def self.use_mock_strategies?
+        default_strategy = if %w[development test].include?(Rails.env)
+                             "mock"
+                           else
+                             "real"
+                           end
+
+        ENV.fetch("PUBLISHING_PLATFORM_SSO_STRATEGY", default_strategy) == "mock"
+      end
+
+      # rubocop:enable Style/ClassVars
+    end
+  end
+end

data/lib/publishing_platform_sso/controller_methods.rb

@@ -0,0 +1,48 @@
+module PublishingPlatform
+  module SSO
+    module ControllerMethods
+      def self.included(base)
+        base.rescue_from PermissionDeniedError do |e|
+          if PublishingPlatform::SSO::Config.api_only
+            render json: { message: e.message }, status: :forbidden
+          else
+            render "authorisations/unauthorised", status: :forbidden, locals: { message: e.message }
+          end
+        end
+
+        unless PublishingPlatform::SSO::Config.api_only
+          base.helper_method :user_signed_in?
+          base.helper_method :current_user
+        end
+      end
+
+      def authorise_user!(permissions)
+        # Ensure that we're authenticated (and by extension that current_user is set).
+        # Otherwise current_user might be nil, and we'd error out
+        authenticate_user!
+
+        PublishingPlatform::SSO::AuthoriseUser.call(current_user, permissions)
+      end
+
+      def authenticate_user!
+        warden.authenticate!
+      end
+
+      def user_signed_in?
+        warden && warden.authenticated?
+      end
+
+      def current_user
+        warden.user if user_signed_in?
+      end
+
+      def logout
+        warden.logout
+      end
+
+      def warden
+        request.env["warden"]
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/errors.rb

@@ -0,0 +1,6 @@
+module PublishingPlatform
+  module SSO
+    class PermissionDeniedError < StandardError
+    end
+  end
+end

data/lib/publishing_platform_sso/failure_app.rb

@@ -0,0 +1,59 @@
+require "action_controller/metal"
+require "rails"
+
+# Failure application that will be called every time :warden is thrown from
+# any strategy or hook.
+module PublishingPlatform
+  module SSO
+    class FailureApp < ActionController::Metal
+      include ActionController::UrlFor
+      include ActionController::Redirecting
+      include AbstractController::Rendering
+      include ActionController::Rendering
+      include ActionController::Renderers
+      use_renderers :json
+
+      include Rails.application.routes.url_helpers
+
+      def self.call(env)
+        if PublishingPlatform::SSO::ApiAccess.api_call?(env)
+          action(:api_invalid_token).call(env)
+        elsif PublishingPlatform::SSO::Config.api_only
+          action(:api_missing_token).call(env)
+        else
+          action(:redirect).call(env)
+        end
+      end
+
+      def redirect
+        store_location!
+        redirect_to "/auth/publishing_platform"
+      end
+
+      def api_invalid_token
+        api_unauthorized("Bearer token does not appear to be valid", "invalid_token")
+      end
+
+      def api_missing_token
+        api_unauthorized("No bearer token was provided", "invalid_request")
+      end
+
+      # Stores requested uri to redirect the user after signing in. We cannot use
+      # scoped session provided by warden here, since the user is not authenticated
+      # yet, but we still need to store the uri based on scope, so different scopes
+      # would never use the same uri to redirect.
+
+      # TOTALLY NOT DOING THE SCOPE THING. PROBABLY SHOULD.
+      def store_location!
+        session["return_to"] = request.env["warden.options"][:attempted_path] if request.get?
+      end
+
+    private
+
+      def api_unauthorized(message, bearer_error)
+        headers["WWW-Authenticate"] = %(Bearer error="#{bearer_error}")
+        render json: { message: }, status: :unauthorized
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/railtie.rb

@@ -0,0 +1,17 @@
+module PublishingPlatform
+  module SSO
+    class Railtie < Rails::Railtie
+      config.action_dispatch.rescue_responses.merge!(
+        "PublishingPlatform::SSO::PermissionDeniedError" => :forbidden,
+      )
+
+      initializer "publishing_platform_sso.initializer" do
+        PublishingPlatform::SSO.config do |config|
+          config.cache = Rails.cache
+          config.api_only = Rails.configuration.api_only
+        end
+        OmniAuth.config.logger = Rails.logger
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/user.rb

@@ -0,0 +1,50 @@
+require "active_support/concern"
+
+module PublishingPlatform
+  module SSO
+    module User
+      extend ActiveSupport::Concern
+
+      def has_permission?(permission)
+        if permissions
+          permissions.include?(permission)
+        end
+      end
+
+      def has_all_permissions?(required_permissions)
+        if permissions
+          required_permissions.all? do |required_permission|
+            permissions.include?(required_permission)
+          end
+        end
+      end
+
+      def self.user_params_from_auth_hash(auth_hash)
+        {
+          "uid" => auth_hash["uid"],
+          "email" => auth_hash["info"]["email"],
+          "name" => auth_hash["info"]["name"],
+          "permissions" => auth_hash["extra"]["user"]["permissions"],
+          "organisation_slug" => auth_hash["extra"]["user"]["organisation_slug"],
+          "organisation_content_id" => auth_hash["extra"]["user"]["organisation_content_id"],
+          "disabled" => auth_hash["extra"]["user"]["disabled"],
+        }
+      end
+
+      module ClassMethods
+        def find_for_oauth(auth_hash)
+          user_params = PublishingPlatform::SSO::User.user_params_from_auth_hash(auth_hash.to_hash)
+          user = where(uid: user_params["uid"]).first ||
+            where(email: user_params["email"]).first
+
+          if user
+            user.update!(user_params)
+            user
+          else # Create a new user.
+            create!(user_params)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/publishing_platform_sso/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module PublishingPlatform
+  module SSO
+    VERSION = "0.2.0"
+  end
+end

data/lib/publishing_platform_sso/warden_config.rb

@@ -0,0 +1,81 @@
+require "warden"
+require "warden-oauth2"
+require "publishing_platform_sso/bearer_token"
+
+def logger
+  Rails.logger || env["rack.logger"]
+end
+
+Warden::Manager.serialize_into_session do |user|
+  if user.respond_to?(:uid) && user.uid
+    [user.uid, Time.now.utc.iso8601]
+  end
+end
+
+Warden::Manager.serialize_from_session do |(uid, auth_timestamp)|
+  # This will reject old sessions that don't have a previous login timestamp
+  if auth_timestamp.is_a?(String)
+    begin
+      auth_timestamp = Time.parse(auth_timestamp)
+    rescue ArgumentError
+      auth_timestamp = nil
+    end
+  end
+
+  if auth_timestamp && ((auth_timestamp + PublishingPlatform::SSO::Config.auth_valid_for) > Time.now.utc)
+    PublishingPlatform::SSO::Config.user_klass.where(uid:).first
+  end
+end
+
+Warden::Strategies.add(:publishing_platform_sso) do
+  def valid?
+    !::PublishingPlatform::SSO::ApiAccess.api_call?(env)
+  end
+
+  def authenticate!
+    logger.debug("Authenticating with publishing_platform_sso strategy")
+
+    if request.env["omniauth.auth"].nil?
+      fail!("No credentials, bub")
+    else
+      user = prep_user(request.env["omniauth.auth"])
+      success!(user)
+    end
+  end
+
+private
+
+  def prep_user(auth_hash)
+    user = publishing_platform_sso::SSO::Config.user_klass.find_for_oauth(auth_hash)
+    fail!("Couldn't process credentials") unless user
+    user
+  end
+end
+
+Warden::OAuth2.configure do |config|
+  config.token_model = PublishingPlatform::SSO::Config.use_mock_strategies? ? PublishingPlatform::SSO::MockBearerToken : PublishingPlatform::SSO::BearerToken
+end
+Warden::Strategies.add(:publishing_platform_bearer_token, Warden::OAuth2::Strategies::Bearer)
+
+Warden::Strategies.add(:mock_publishing_platform_sso) do
+  def valid?
+    !::PublishingPlatform::SSO::ApiAccess.api_call?(env)
+  end
+
+  def authenticate!
+    logger.warn("Authenticating with mock_publishing_platform_sso strategy")
+
+    test_user = PublishingPlatform::SSO.test_user
+    test_user ||= PublishingPlatform::SSO::Config.user_klass.first
+    if test_user
+      # Brute force ensure test user has correct perms to signin
+      unless test_user.has_permission?("signin")
+        permissions = test_user.permissions || []
+        test_user.update_attribute(:permissions, permissions << "signin")
+      end
+      success!(test_user)
+    else
+      raise "publishing_platform_sso running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
+    end
+  end
+end

data/lib/publishing_platform_sso.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "rails"
+
+require "publishing_platform_sso/config"
+require "publishing_platform_sso/version"
+require "publishing_platform_sso/warden_config"
+require "omniauth"
+require "omniauth/strategies/publishing_platform"
+
+require "publishing_platform_sso/railtie" if defined?(Rails)
+
+module PublishingPlatform
+  module SSO
+    autoload :FailureApp,               "publishing_platform_sso/failure_app"
+    autoload :ControllerMethods,        "publishing_platform_sso/controller_methods"
+    autoload :User,                     "publishing_platform_sso/user"
+    autoload :ApiAccess,                "publishing_platform_sso/api_access"
+    autoload :AuthoriseUser,            "publishing_platform_sso/authorise_user"
+    autoload :PermissionDeniedError,    "publishing_platform_sso/errors"
+
+    # User to return as logged in during tests
+    mattr_accessor :test_user
+
+    def self.config
+      yield PublishingPlatform::SSO::Config
+    end
+
+    class Engine < ::Rails::Engine
+      # Force routes to be loaded if we are doing any eager load.
+      # TODO - check this one - Stolen from Devise because it looked sensible...
+      config.before_eager_load(&:reload_routes!)
+
+      OmniAuth.config.allowed_request_methods = %i[post get]
+
+      config.app_middleware.use ::OmniAuth::Builder do
+        next if PublishingPlatform::SSO::Config.api_only
+
+        provider :publishing_platform, PublishingPlatform::SSO::Config.oauth_id, PublishingPlatform::SSO::Config.oauth_secret,
+                 client_options: {
+                   site: PublishingPlatform::SSO::Config.oauth_root_url,
+                   authorize_url: "#{PublishingPlatform::SSO::Config.oauth_root_url}/oauth/authorize",
+                   token_url: "#{PublishingPlatform::SSO::Config.oauth_root_url}/oauth/access_token",
+                   connection_opts: {
+                     headers: {
+                       user_agent: "publishing_platform_sso/#{PublishingPlatform::SSO::VERSION} (#{ENV['PUBLISHING_PLATFORM_APP_NAME']})",
+                     },
+                   },
+                 }
+      end
+
+      def self.default_strategies
+        Config.use_mock_strategies? ? %i[mock_publishing_platform_sso publishing_platform_bearer_token] : %i[publishing_platform_sso publishing_platform_bearer_token]
+      end
+
+      config.app_middleware.use Warden::Manager do |config|
+        config.default_strategies(*default_strategies)
+        config.failure_app = PublishingPlatform::SSO::FailureApp
+        config.intercept_401 = PublishingPlatform::SSO::Config.intercept_401_responses
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification
+name: publishing_platform_sso
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Publishing Platform
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2024-05-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7'
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: warden-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: publishing_platform_rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Client for Publishing Platform's OAuth 2-based SSO.
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- app/controllers/authentications_controller.rb
+- app/views/authentications/failure.html.erb
+- app/views/authorisations/unauthorised.html.erb
+- config/routes.rb
+- lib/omniauth/strategies/publishing_platform.rb
+- lib/publishing_platform_sso.rb
+- lib/publishing_platform_sso/api_access.rb
+- lib/publishing_platform_sso/authorise_user.rb
+- lib/publishing_platform_sso/bearer_token.rb
+- lib/publishing_platform_sso/config.rb
+- lib/publishing_platform_sso/controller_methods.rb
+- lib/publishing_platform_sso/errors.rb
+- lib/publishing_platform_sso/failure_app.rb
+- lib/publishing_platform_sso/railtie.rb
+- lib/publishing_platform_sso/user.rb
+- lib/publishing_platform_sso/version.rb
+- lib/publishing_platform_sso/warden_config.rb
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: Client for Publishing Platform's OAuth 2-based SSO.
+test_files: []