sso 0.0.2 → 0.1.0.alpha1

data/spec/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_dummy_session'

data/spec/dummy/config/initializers/sso.rb

@@ -0,0 +1,37 @@
+# POI
+
+# This is the minimal configuration you need to do for using the sso gem.
+
+SSO.configure do |config|
+
+  config.find_user_for_passport = proc do |passport, ip|
+    # This is your chance to modify the user instance before it is handed out to the OAuth client apps.
+
+    progname = 'SSO.config.find_user_for_passport'
+    Rails.logger.debug(progname) { "Looking up User #{passport.owner_id} belonging to Passport #{passport.id} surfing with IP #{ip}..." }
+    user = User.find_by_id passport.owner_id
+    return unless user
+
+    # The IP address, for example, might be used to set certain flags on the user object.
+    # If these flags are included in the #user_state base (see below), all OAuth client apps are immediately aware of the change.
+    if ip == '198.51.100.74'
+      user.tags << :is_at_the_office
+    else
+      user.tags << :is_working_from_home
+    end
+
+    user
+  end
+
+  config.user_state_base = proc do |user|
+    # Include the end-user credentials to force all OAuth client apps to refetch the end-user Passports.
+    # This way you can revoke all relevant Passports on SSO-logout and the OAuth client apps are immediately aware of it.
+    [user.email, user.password, user.tags.sort].join
+  end
+
+  # This is a rather static key used to calculate whether a user state changed and needs to be propagated to the OAuth clients.
+  # It's not a problem if this changes, as long as it's somewhat deterministic.
+  # In our case, we simply derive it from the Rails secret_key_base so we don't have to remember yet another secret somewhere.
+  generator = ActiveSupport::KeyGenerator.new Rails.application.config.secret_key_base, iterations: 1000
+  config.user_state_key = Rails.application.config.user_state_digest_key = generator.generate_key 'user state digest key'
+end

data/spec/dummy/config/initializers/warden.rb

@@ -0,0 +1,29 @@
+# POI
+::Warden::Strategies.add :password do
+  def valid?
+    params['username'].present?
+  end
+
+  def authenticate!
+    Rails.logger.debug(progname) { 'Authenticating from username and password...' }
+
+    user = ::User.authenticate params['username'], params['password']
+
+    if user
+      Rails.logger.debug(progname) { 'Authentication from username and password successful.' }
+      success! user
+    else
+      Rails.logger.debug(progname) { 'Authentication from username and password failed.' }
+      fail! 'Could not login.'
+    end
+  end
+
+  def progname
+    'Warden::Strategies.password'
+  end
+end
+
+# POI
+Warden::Manager.after_authentication(&::SSO::Server::Warden::Hooks::AfterAuthentication.to_proc)
+Warden::Manager.before_logout(&::SSO::Server::Warden::Hooks::BeforeLogout.to_proc)
+Warden::Strategies.add :passport, ::SSO::Server::Warden::Strategies::Passport

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#  self.include_root_in_json = true
+# end

data/spec/dummy/config/locales/doorkeeper.en.yml

@@ -0,0 +1,151 @@
+en:
+  activerecord:
+    attributes:
+      doorkeeper/application:
+        name: 'Name'
+        redirect_uri: 'Redirect URI'
+    errors:
+      models:
+        doorkeeper/application:
+          attributes:
+            redirect_uri:
+              fragment_present: 'cannot contain a fragment.'
+              invalid_uri: 'must be a valid URI.'
+              relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
+
+  mongoid:
+    attributes:
+      doorkeeper/application:
+        name: 'Name'
+        redirect_uri: 'Redirect URI'
+    errors:
+      models:
+        doorkeeper/application:
+          attributes:
+            redirect_uri:
+              fragment_present: 'cannot contain a fragment.'
+              invalid_uri: 'must be a valid URI.'
+              relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
+
+  mongo_mapper:
+    attributes:
+      doorkeeper/application:
+        name: 'Name'
+        redirect_uri: 'Redirect URI'
+    errors:
+      models:
+        doorkeeper/application:
+          attributes:
+            redirect_uri:
+              fragment_present: 'cannot contain a fragment.'
+              invalid_uri: 'must be a valid URI.'
+              relative_uri: 'must be an absolute URI.'
+              secured_uri: 'must be an HTTPS/SSL URI.'
+
+  doorkeeper:
+    applications:
+      confirmations:
+        destroy: 'Are you sure?'
+      buttons:
+        edit: 'Edit'
+        destroy: 'Destroy'
+        submit: 'Submit'
+        cancel: 'Cancel'
+        authorize: 'Authorize'
+      form:
+        error: 'Whoops! Check your form for possible errors'
+      help:
+        redirect_uri: 'Use one line per URI'
+        native_redirect_uri: 'Use %{native_redirect_uri} for local tests'
+      edit:
+        title: 'Edit application'
+      index:
+        title: 'Your applications'
+        new: 'New Application'
+        name: 'Name'
+        callback_url: 'Callback URL'
+      new:
+        title: 'New Application'
+      show:
+        title: 'Application: %{name}'
+        application_id: 'Application Id'
+        secret: 'Secret'
+        callback_urls: 'Callback urls'
+        actions: 'Actions'
+
+    authorizations:
+      buttons:
+        authorize: 'Authorize'
+        deny: 'Deny'
+      error:
+        title: 'An error has occurred'
+      new:
+        title: 'Authorize required'
+        prompt: 'Authorize %{client_name} to use your account?'
+        able_to: 'This application will be able to'
+      show:
+        title: 'Authorization code'
+
+    authorized_applications:
+      confirmations:
+        revoke: 'Are you sure?'
+      buttons:
+        revoke: 'Revoke'
+      index:
+        title: 'Your authorized applications'
+        application: 'Application'
+        created_at: 'Created At'
+        date_format: '%Y-%m-%d %H:%M:%S'
+
+    errors:
+      messages:
+        # Common error messages
+        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+        invalid_redirect_uri: 'The redirect uri included is not valid.'
+        unauthorized_client: 'The client is not authorized to perform this request using this method.'
+        access_denied: 'The resource owner or authorization server denied the request.'
+        invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
+        server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
+        temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
+
+        #configuration error messages
+        credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
+        resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.'
+
+        # Access grant errors
+        unsupported_response_type: 'The authorization server does not support this response type.'
+
+        # Access token errors
+        invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'
+        invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
+        unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.'
+
+        # Password Access token errors
+        invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'
+
+        invalid_token:
+          revoked: "The access token was revoked"
+          expired: "The access token expired"
+          unknown: "The access token is invalid"
+
+    flash:
+      applications:
+        create:
+          notice: 'Application created.'
+        destroy:
+          notice: 'Application deleted.'
+        update:
+          notice: 'Application updated.'
+      authorized_applications:
+        destroy:
+          notice: 'Application revoked.'
+
+    layouts:
+      admin:
+        nav:
+          oauth2_provider: 'OAuth2 Provider'
+          applications: 'Applications'
+      application:
+        title: 'OAuth authorize required'

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/dummy/config/routes.rb

@@ -0,0 +1,12 @@
+Rails.application.routes.draw do
+
+  use_doorkeeper do
+    skip_controllers :applications, :authorized_applications
+  end
+
+  resources :sessions, only: [:new, :create]
+  get '/logout(/:passport_id)', to: 'sessions#logout', as: :logout
+
+  root to: 'home#index'
+
+end

data/spec/dummy/db/migrate/20150302113121_add_users.rb

@@ -0,0 +1,14 @@
+# This is not part of SSO, this is simply an example implementation of a user model.
+
+class AddUsers < ActiveRecord::Migration
+  def change
+    create_table :users do |t|
+      t.string :name, null: false
+      t.string :email, null: false
+      t.string :password, null: false  # <- Of course you would have this encrypted in a real-life setup
+      t.string :tags, array: true, default: []
+      t.boolean :vip
+      t.timestamps null: false
+    end
+  end
+end

data/spec/dummy/db/migrate/20150303054803_create_doorkeeper_tables.rb

@@ -0,0 +1,51 @@
+# POI
+
+# This migration file is created when you run `rails generate doorkeeper:install` in your OAuth Server Rails app.
+# These tables are needed for Doorkeeper to work, see also https://github.com/doorkeeper-gem/doorkeeper#installation
+# This migration here has *not* been modified. You simply see the original file below, created by the Doorkeeper generator.
+
+# Note, however, that it was generated with Doorkeeper >= 2.0.0, since it has the `scopes` column on the `oauth_applications` table.
+# We make use of that column and it was introduced here: https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md#200
+
+class CreateDoorkeeperTables < ActiveRecord::Migration
+  def change
+    create_table :oauth_applications do |t|
+      t.string  :name,         null: false
+      t.string  :uid,          null: false
+      t.string  :secret,       null: false
+      t.text    :redirect_uri, null: false
+      t.string  :scopes,       null: false, default: ''   # <- Exists only with Doorkeeper 2.0.0 or higher.
+      t.timestamps null: false
+    end
+
+    add_index :oauth_applications, :uid, unique: true
+
+    create_table :oauth_access_grants do |t|
+      t.integer  :resource_owner_id, null: false
+      t.integer  :application_id,    null: false
+      t.string   :token,             null: false
+      t.integer  :expires_in,        null: false
+      t.text     :redirect_uri,      null: false
+      t.datetime :created_at,        null: false
+      t.datetime :revoked_at
+      t.string   :scopes
+    end
+
+    add_index :oauth_access_grants, :token, unique: true
+
+    create_table :oauth_access_tokens do |t|
+      t.integer  :resource_owner_id
+      t.integer  :application_id
+      t.string   :token,             null: false
+      t.string   :refresh_token
+      t.integer  :expires_in
+      t.datetime :revoked_at
+      t.datetime :created_at,        null: false
+      t.string   :scopes
+    end
+
+    add_index :oauth_access_tokens, :token, unique: true
+    add_index :oauth_access_tokens, :resource_owner_id
+    add_index :oauth_access_tokens, :refresh_token, unique: true
+  end
+end

data/spec/dummy/db/migrate/20150303132931_create_passports_table.rb

@@ -0,0 +1,38 @@
+# POI
+
+# This is what the Passport table on the SSO Server looks like. You need to have this migration.
+# As you can see it uses the `uuid` and `inet` column types. So you are kind of stuck with Postgres.
+# However, there should be no reason for you not to simply use `integer` and `string` for those two columns instead.
+
+class CreatePassportsTable < ActiveRecord::Migration
+  def change
+    enable_extension 'uuid-ossp'
+
+    create_table :passports, id: :uuid do |t|
+      t.integer :oauth_access_grant_id
+      t.integer :oauth_access_token_id
+      t.integer :application_id, null: false
+      t.integer :owner_id, null: false
+      t.string :group_id, null: false
+      t.string :secret, null: false, unique: true
+      t.inet :ip, null: false
+      t.string :agent
+      t.string :location
+      t.datetime :activity_at, null: false
+      t.datetime :revoked_at
+      t.string :revoke_reason
+      t.timestamps null: false
+    end
+
+    add_index :passports, [:owner_id, :oauth_access_token_id], where: 'revoked_at IS NULL AND oauth_access_token_id IS NOT NULL', unique: true, name: :one_access_token_per_owner
+
+    add_index :passports, :oauth_access_grant_id
+    add_index :passports, :oauth_access_token_id
+    add_index :passports, :application_id
+    add_index :passports, :owner_id
+    add_index :passports, :group_id
+    add_index :passports, :secret
+    add_index :passports, :ip
+    add_index :passports, :revoke_reason
+  end
+end

data/spec/dummy/db/schema.rb

@@ -0,0 +1,97 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 20150303132931) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+  enable_extension "uuid-ossp"
+
+  create_table "oauth_access_grants", force: :cascade do |t|
+    t.integer  "resource_owner_id", null: false
+    t.integer  "application_id",    null: false
+    t.string   "token",             null: false
+    t.integer  "expires_in",        null: false
+    t.text     "redirect_uri",      null: false
+    t.datetime "created_at",        null: false
+    t.datetime "revoked_at"
+    t.string   "scopes"
+  end
+
+  add_index "oauth_access_grants", ["token"], name: "index_oauth_access_grants_on_token", unique: true, using: :btree
+
+  create_table "oauth_access_tokens", force: :cascade do |t|
+    t.integer  "resource_owner_id"
+    t.integer  "application_id"
+    t.string   "token",             null: false
+    t.string   "refresh_token"
+    t.integer  "expires_in"
+    t.datetime "revoked_at"
+    t.datetime "created_at",        null: false
+    t.string   "scopes"
+  end
+
+  add_index "oauth_access_tokens", ["refresh_token"], name: "index_oauth_access_tokens_on_refresh_token", unique: true, using: :btree
+  add_index "oauth_access_tokens", ["resource_owner_id"], name: "index_oauth_access_tokens_on_resource_owner_id", using: :btree
+  add_index "oauth_access_tokens", ["token"], name: "index_oauth_access_tokens_on_token", unique: true, using: :btree
+
+  create_table "oauth_applications", force: :cascade do |t|
+    t.string   "name",                      null: false
+    t.string   "uid",                       null: false
+    t.string   "secret",                    null: false
+    t.text     "redirect_uri",              null: false
+    t.string   "scopes",       default: "", null: false
+    t.datetime "created_at",                null: false
+    t.datetime "updated_at",                null: false
+  end
+
+  add_index "oauth_applications", ["uid"], name: "index_oauth_applications_on_uid", unique: true, using: :btree
+
+  create_table "passports", id: :uuid, default: "uuid_generate_v4()", force: :cascade do |t|
+    t.integer  "oauth_access_grant_id"
+    t.integer  "oauth_access_token_id"
+    t.integer  "application_id",        null: false
+    t.integer  "owner_id",              null: false
+    t.string   "group_id",              null: false
+    t.string   "secret",                null: false
+    t.inet     "ip",                    null: false
+    t.string   "agent"
+    t.string   "location"
+    t.datetime "activity_at",           null: false
+    t.datetime "revoked_at"
+    t.string   "revoke_reason"
+    t.datetime "created_at",            null: false
+    t.datetime "updated_at",            null: false
+  end
+
+  add_index "passports", ["application_id"], name: "index_passports_on_application_id", using: :btree
+  add_index "passports", ["group_id"], name: "index_passports_on_group_id", using: :btree
+  add_index "passports", ["ip"], name: "index_passports_on_ip", using: :btree
+  add_index "passports", ["oauth_access_grant_id"], name: "index_passports_on_oauth_access_grant_id", using: :btree
+  add_index "passports", ["oauth_access_token_id"], name: "index_passports_on_oauth_access_token_id", using: :btree
+  add_index "passports", ["owner_id", "oauth_access_token_id"], name: "one_access_token_per_owner", unique: true, where: "((revoked_at IS NULL) AND (oauth_access_token_id IS NOT NULL))", using: :btree
+  add_index "passports", ["owner_id"], name: "index_passports_on_owner_id", using: :btree
+  add_index "passports", ["revoke_reason"], name: "index_passports_on_revoke_reason", using: :btree
+  add_index "passports", ["secret"], name: "index_passports_on_secret", using: :btree
+
+  create_table "users", force: :cascade do |t|
+    t.string   "name",                    null: false
+    t.string   "email",                   null: false
+    t.string   "password",                null: false
+    t.string   "tags",       default: [],              array: true
+    t.boolean  "vip"
+    t.datetime "created_at",              null: false
+    t.datetime "updated_at",              null: false
+  end
+
+end