sso 0.1.0.alpha1 → 0.1.0.alpha2

data/lib/sso/server/doorkeeper/resource_owner_authenticator.rb

@@ -0,0 +1,44 @@
+module SSO
+  module Server
+    module Doorkeeper
+      class ResourceOwnerAuthenticator
+        include ::SSO::Logging
+
+        attr_reader :controller
+
+        def self.to_proc
+          proc { ::SSO::Server::Doorkeeper::ResourceOwnerAuthenticator.new(controller: self).call }
+        end
+
+        def initialize(controller:)
+          @controller = controller
+        end
+
+        def call
+          debug { 'Detected "Authorization Code Grant" flow. Checking resource owner authentication...' }
+
+          unless warden
+            fail ::SSO::Server::Errors::WardenMissing, 'Please use the Warden middleware.'
+          end
+
+          if current_user
+            debug { "Yes, User with ID #{current_user.inspect} has a session." }
+            current_user
+          else
+            debug { 'No, no User is logged in right now. Initializing authentication procedure...' }
+            warden.authenticate! :password
+          end
+        end
+
+        def warden
+          controller.request.env['warden']
+        end
+
+        def current_user
+          warden.user
+        end
+
+      end
+    end
+  end
+end

data/lib/sso/server/engine.rb

@@ -0,0 +1,16 @@
+module SSO
+  class Engine < ::Rails::Engine
+    isolate_namespace SSO
+
+    initializer 'sso.add_middleware' do |app|
+      app.middleware.insert_after ::Warden::Manager, ::SSO::Server::Middleware::PassportVerification
+      app.middleware.insert_after ::Warden::Manager, ::SSO::Server::Doorkeeper::GrantMarker
+      app.middleware.insert_after ::Warden::Manager, ::SSO::Server::Doorkeeper::AccessTokenMarker
+    end
+
+    config.generators do |g|
+      g.test_framework :rspec
+      g.fixture_replacement :factory_girl, dir: 'spec/factories'
+    end
+  end
+end

data/lib/sso/server/errors.rb

@@ -0,0 +1,11 @@
+module SSO
+  module Server
+    module Errors
+
+      Error = Class.new(StandardError)
+
+      WardenMissing = Class.new(Error)
+
+    end
+  end
+end

data/lib/sso/server/geolocations.rb

@@ -0,0 +1,10 @@
+module SSO
+  module Server
+    module Geolocations
+      def self.human_readable_location_for_ip(_)
+        # Implement your favorite GeoIP lookup here
+        'New York'
+      end
+    end
+  end
+end

data/lib/sso/server/middleware/passport_verification.rb

@@ -0,0 +1,30 @@
+module SSO
+  module Server
+    module Middleware
+      class PassportVerification
+        include ::SSO::Logging
+
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          request = Rack::Request.new(env)
+
+          if request.get? && request.path == passports_path
+            debug { 'Detected incoming Passport verification request.' }
+            env['warden'].authenticate! :passport
+          else
+            debug { "I'm not interested in this request to #{request.path}" }
+            @app.call(env)
+          end
+        end
+
+        def passports_path
+          OmniAuth::Strategies::SSO.passports_path
+        end
+
+      end
+    end
+  end
+end

data/lib/sso/server/passport.rb

@@ -0,0 +1,92 @@
+require 'active_record'
+
+module SSO
+  module Server
+    # This could be MongoDB or whatever
+    class Passport < ActiveRecord::Base
+      include ::SSO::Logging
+
+      self.table_name = 'passports'
+
+      before_validation :ensure_secret
+      before_validation :ensure_group_id
+      before_validation :ensure_activity_at
+
+      before_save :update_location
+
+      belongs_to :application, class_name: 'Doorkeeper::Application'
+
+      validates :secret, :group_id, presence: true
+      validates :oauth_access_token_id, uniqueness: { scope: [:owner_id, :revoked_at], allow_blank: true }
+      validates :revoke_reason, allow_blank: true, format: { with: /\A[a-z_]+\z/ }
+      validates :application_id, presence: true, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+
+      attr_accessor :user
+
+      def export
+        debug { "Exporting Passport #{id} including the encapsulated user." }
+        {
+          id: id,
+          secret: secret,
+          user: user,
+        }
+      end
+
+      def to_s
+        ['Passport', owner_id, ip, activity_at].join ', '
+      end
+
+      def state
+        if user
+          @state ||= state!
+        else
+          warn { 'Wait a minute, this Passport is not encapsulating a user!' }
+          'missing_user_for_state_calculation'
+        end
+      end
+
+      def state!
+        result = nil
+        time = Benchmark.realtime do
+          result = OpenSSL::HMAC.hexdigest user_state_digest, user_state_key, user_state_base
+        end
+        debug { "The user state digest is #{result.inspect}" }
+        debug { "Calculating the user state took #{(time * 1000).round(2)}ms" }
+        result
+      end
+
+      def user_state_digest
+        OpenSSL::Digest.new 'sha1'
+      end
+
+      def user_state_key
+        ::SSO.config.user_state_key
+      end
+
+      def user_state_base
+        ::SSO.config.user_state_base.call user
+      end
+
+      private
+
+      def ensure_secret
+        self.secret ||= SecureRandom.uuid
+      end
+
+      def ensure_group_id
+        self.group_id ||= SecureRandom.uuid
+      end
+
+      def ensure_activity_at
+        self.activity_at ||= Time.now
+      end
+
+      def update_location
+        location_name = ::SSO::Server::Geolocations.human_readable_location_for_ip ip
+        debug { "Updating geolocation for #{ip} which is #{location_name}" }
+        self.location = location_name
+      end
+
+    end
+  end
+end

data/lib/sso/server/passports.rb

@@ -0,0 +1,148 @@
+module SSO
+  module Server
+    # This is the one interaction point with persisting and querying Passports.
+    module Passports
+      extend ::SSO::Logging
+
+      def self.find(id)
+        record = backend.find_by_id(id)
+
+        if record
+          Operation.success(:record_found, object: record)
+        else
+          Operations.failure :record_not_found
+        end
+
+      rescue => exception
+        Operations.failure :backend_error, object: exception
+      end
+
+      def self.generate(owner_id:, ip:, agent:)
+        debug { "Generating Passport for user ID #{owner_id.inspect} and IP #{ip.inspect} and Agent #{agent.inspect}" }
+
+        record = backend.create owner_id: owner_id, ip: ip, agent: agent, application_id: 0
+
+        if record.persisted?
+          debug { "Successfully generated passport with ID #{record.id}" }
+          Operations.success :generation_successful, object: record.id
+        else
+          Operations.failure :persistence_failed, object: record.errors.to_hash
+        end
+      end
+
+      def self.register_authorization_grant(passport_id:, token:)
+        record       = find_valid_passport(passport_id) { |failure| return failure }
+        access_grant = find_valid_access_grant(token)   { |failure| return failure }
+
+        if record.update_attribute :oauth_access_grant_id, access_grant.id
+          debug { "Successfully augmented Passport #{record.id} with Authorization Grant ID #{access_grant.id} which is #{access_grant.token}" }
+          Operations.success :passport_augmented_with_access_token
+        else
+          Operations.failure :could_not_augment_passport_with_access_token
+        end
+      end
+
+      def self.register_access_token_from_grant(grant_token:, access_token:)
+        access_grant = find_valid_access_grant(grant_token)             { |failure| return failure }
+        access_token = find_valid_access_token(access_token)            { |failure| return failure }
+        record       = find_valid_passport_by_grant_id(access_grant.id) { |failure| return failure }
+
+        if record.update_attribute :oauth_access_token_id, access_token.id
+          debug { "Successfully augmented Passport #{record.id} with Access Token ID #{access_token.id} which is #{access_token.token}" }
+          Operations.success :passport_known_by_grant_augmented_with_access_token
+        else
+          Operations.failure :could_not_augment_passport_known_by_grant_with_access_token
+        end
+      end
+
+      def self.register_access_token(passport_id:, access_token:)
+        access_token = find_valid_access_token(access_token) { |failure| return failure }
+        record       = find_valid_passport(passport_id)      { |failure| return failure }
+
+        if record.update_attribute :oauth_access_token_id, access_token.id
+          debug { "Successfully augmented Passport #{record.id} with Access Token ID #{access_token.id} which is #{access_token.token}" }
+          Operations.success :passport_augmented_with_access_token
+        else
+          Operations.failure :could_not_augment_passport_with_access_token
+        end
+      end
+
+      def self.logout(passport_id:, provider_passport_id:)
+        if passport_id.present? || provider_passport_id.present?
+          debug { "Attemting to logout Passport groups of Passport IDs #{passport_id.inspect} and #{provider_passport_id.inspect}..." }
+        else
+          debug { "Should logout Passport groups now, but don't know which ones. Moving on..." }
+          return Operations.success :nothing_to_revoke_from
+        end
+
+        count = 0
+        count += logout_cluster(passport_id) if passport_id.present?
+        count += logout_cluster(provider_passport_id) if provider_passport_id.present?
+
+        Operations.success :passports_revoked, object: count
+      end
+
+      private
+
+      def self.find_valid_passport(id)
+        record = backend.where(revoked_at: nil).find_by_id(id)
+        return record if record
+
+        debug { "Could not find valid passport with ID #{id.inspect}" }
+        debug { "All I have is #{backend.all.inspect}" }
+        yield Operations.failure :passport_not_found if block_given?
+        nil
+      end
+
+      def self.find_valid_passport_by_grant_id(id)
+        record = backend.where(revoked_at: nil).find_by_oauth_access_grant_id(id)
+        return record if record
+
+        warn { "Could not find valid passport by Authorization Grant ID #{id.inspect}" }
+        yield Operations.failure :passport_not_found
+        nil
+      end
+
+      def self.find_valid_access_grant(token)
+        record = ::Doorkeeper::AccessGrant.find_by_token token
+
+        if record && record.valid?
+          record
+        else
+          warn { "Could not find valid Authorization Grant Token #{token.inspect}" }
+          yield Operations.failure :access_grant_not_found
+          nil
+        end
+      end
+
+      def self.find_valid_access_token(token)
+        record = ::Doorkeeper::AccessToken.find_by_token token
+
+        if record && record.valid?
+          record
+        else
+          warn { "Could not find valid OAuth Access Token #{token.inspect}" }
+          yield Operations.failure :access_token_not_found
+          nil
+        end
+      end
+
+      def self.logout_cluster(passport_id)
+        unless passport_id.present? && record = backend.find_by_id(passport_id)
+          debug { "Cannot revoke Passport group of Passport ID #{passport_id.inspect} because it does not exist." }
+          return 0
+        end
+
+        debug { "Revoking Passport group #{record.group_id.inspect} of Passport ID #{passport_id.inspect}" }
+        affected_row_count = backend.where(group_id: record.group_id).update_all revoked_at: Time.now, revoke_reason: :logout
+        debug { "Successfully revoked #{affected_row_count.inspect} Passports." }
+        affected_row_count
+      end
+
+      def self.backend
+        ::SSO::Server::Passport
+      end
+
+    end
+  end
+end

data/lib/sso/server/warden/hooks/after_authentication.rb

@@ -0,0 +1,47 @@
+module SSO
+  module Server
+    module Warden
+      module Hooks
+        class AfterAuthentication
+          include ::SSO::Logging
+
+          attr_reader :user, :warden, :options
+
+          def self.to_proc
+            proc do |user, warden, options|
+              begin
+                new(user: user, warden: warden, options: options).call
+              rescue => exception
+                ::SSO.config.exception_handler.call exception
+                # The show must co on
+              end
+            end
+          end
+
+          def initialize(user:, warden:, options:)
+            @user, @warden, @options = user, warden, options
+          end
+
+          def call
+            debug { 'Starting hook because this is considered the first login of the current session...' }
+            request = warden.request
+            session = warden.env['rack.session']
+
+            debug { "Generating a passport for user #{user.id.inspect} for the session cookie at the SSO server..." }
+            attributes = { owner_id: user.id, ip: request.ip, agent: request.user_agent }
+
+            generation = SSO::Server::Passports.generate attributes
+            if generation.success?
+              debug { "Passport with ID #{generation.object.inspect} generated successfuly. Persisting it in session..." }
+              session[:passport_id] = generation.object
+            else
+              fail generation.code.inspect + generation.object.inspect
+            end
+
+            debug { 'Finished.' }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sso/server/warden/hooks/before_logout.rb

@@ -0,0 +1,38 @@
+module SSO
+  module Server
+    module Warden
+      module Hooks
+        class BeforeLogout
+          include ::SSO::Logging
+
+          attr_reader :user, :warden, :options
+          delegate :request, to: :warden
+          delegate :params, to: :request
+          delegate :session, to: :request
+
+          def self.to_proc
+            proc do |user, warden, options|
+              begin
+                new(user: user, warden: warden, options: options).call
+              rescue => exception
+                ::SSO.config.exception_handler.call exception
+              end
+            end
+          end
+
+          def initialize(user:, warden:, options:)
+            @user, @warden, @options = user, warden, options
+          end
+
+          def call
+            debug { 'Before warden destroys the passport in the cookie, it will revoke all connected Passports as well.' }
+            revoking = Passports.logout passport_id: params['passport_id'], provider_passport_id: session['passport_id']
+
+            error { 'Could not revoke the Passports.' } if revoking.failure?
+            debug { 'Finished.' }
+          end
+        end
+      end
+    end
+  end
+end