sso 0.1.0.alpha5 → 0.1.0.alpha6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b81f083797ce01186f402b3a38e3a8e5cc4a6d2e
-  data.tar.gz: 5056b770891d6cf3655cb81513ad3fe88d542bde
+  metadata.gz: 5719f768df38f21f0427bf887e96e6c300380a52
+  data.tar.gz: cba2104943a75bb640747ba088229c8b14b7a1d5
 SHA512:
-  metadata.gz: 1ae490829e5875ca39dcc25c1cfb9352fc856111329f5a3f2b1f33164156d2c35eb3e21897f8aa9d5233279d4d5a9415c5e0209c2ca42b88545e5c3cb3bc6d88
-  data.tar.gz: 52b8f08786e63e9f22b0792081b6efa752ec2bc15e201bd42cae6a984c92749986da46ef9cf8cfe20d6214930ccd8b5dfe1ae7e845bc2e92119f1a1f8a3810f1
+  metadata.gz: 938d6845a25437b1b7fc5c20d9709031f50afaec5e9b9359eb6686db8a70e5ff3bd02f4f45fed36c5fc8b08275be08801ea9ec19228486caf910c5c049522b1c
+  data.tar.gz: 8983a717b6a800e7add505e27c1d9fce1368b8a9e651d1625e00ee3a968ad3ff8ba321019d5cb8908767db5231c6b53c088b190fdbcd45c3b9d7cdb1cddc8c22

data/lib/sso/client/README.md

@@ -18,7 +18,7 @@
 * A public OAuth Client, such as an `iPhone`, uses the `Resource Owner Password Credentials Grant` to exchange the `username` and `password` of the end user for an OAuth `access_token` with the OAuth permission scope `outsider`.
 * You exchange the `access_token` for a passport token. That is effectively your API token used to communicate with the OAuth Rails clients.
 * The OAuth Rails clients verify that token with the OAuth server at every request.
-* In effect, this turns your iPhone app into a Browser, technically not an OAuth Client.
+* In effect, this turns your iPhone app into a Browser, technically not a trusted OAuth Client.
 
 #### Also good to know
 
@@ -35,7 +35,22 @@ gem 'sso', require: 'sso/client'
 
 #### Make sure you activated the Warden middleware provided by the `warden` gem
 
-See [the Warden wiki](https://github.com/hassox/warden/wiki/Setup)
+See [the Warden wiki](https://github.com/hassox/warden/wiki/Setup).
+However, one thing is special here, you must not store the entire object, but only a reference to the passport.
+If you store the entire object, that would be a major security risk and allow for cookie replay attacks.
+
+```
+class Warden::SessionSerializer
+  def serialize(passport)
+    Redis.set passport.id, passport.to_json
+  end
+
+  def deserialize(passport_id)
+    json = Redis.get passport_id
+    SSO::Client::Passport.new JSON.parse(json)
+  end
+end
+```
 
 #### Set the URL to the SSO Server
 

data/lib/sso/client/authentications/passport.rb

@@ -0,0 +1,176 @@
+module SSO
+  module Client
+    module Authentications
+      class Passport
+        include ::SSO::Logging
+        include ::SSO::Benchmarking
+
+        delegate :params, to: :request
+
+        def initialize(request)
+          @request = request
+        end
+
+        def authenticate
+          debug { "Performing authentication..." }
+          result = authenticate!
+
+          if result.success?
+            debug { "Authentication succeeded." }
+            return result
+          end
+
+          debug { "The Client Passport authentication failed: #{result.code}" }
+          Operations.failure :passport_authentication_failed, object: failure_rack_array
+        end
+
+        private
+
+        attr_reader :request, :passport_id
+
+        def authenticate!
+          chip_decryption         { |failure| return failure }
+          check_request_signature { |failure| return failure }
+          passport = retrieve_passport { |failure| return failure }
+          passport.verified!
+
+          Operations.success :passport_received, object: passport
+        end
+
+        def retrieve_passport
+          debug { 'Retrieving Passport from server...' }
+          if verification.success? && verification.code == :passport_valid_and_modified
+            passport = verification.object
+
+            debug { "Successfully retrieved Passport with ID #{passport_id} from server." }
+            return passport
+          else
+            debug { 'Could not obtain Passport from server.' }
+            yield verification
+          end
+        end
+
+        def check_request_signature
+          debug { "Verifying request signature using Passport secret #{passport_secret.inspect}" }
+          signature_request.authenticate do |passport_id|
+            @passport_id = passport_id
+            Signature::Token.new passport_id, passport_secret
+          end
+          debug { 'Signature looks legit.' }
+          Operations.success :passport_signature_valid
+
+        rescue ::Signature::AuthenticationError => exception
+          debug { "The Signature Authentication failed. #{exception.message}" }
+          yield Operations.failure :invalid_passport_signature
+        end
+
+        def verifier
+          ::SSO::Client::PassportVerifier.new passport_id: passport_id, passport_state: 'refresh', passport_secret: passport_secret, user_ip: ip, user_agent: agent, device_id: device_id
+        end
+
+        def verification
+          @verification ||= verifier.call
+        end
+
+        def failure_rack_array
+          payload = { success: true, code: :passport_verification_failed }
+          [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
+        end
+
+        def signature_request
+          debug { "Verifying signature of #{request.request_method.inspect} #{request.path.inspect} #{request.params.inspect}"}
+          ::Signature::Request.new request.request_method, request.path, request.params
+        end
+
+        def check_chip
+          Operations.success :chip_syntax_valid
+        end
+
+        def chip_decryption
+          debug { "Validating chip decryptability of raw chip #{chip.inspect}"}
+          yield Operations.failure(:missing_chip, object: params) if chip.blank?
+          yield Operations.failure(:missing_chip_key) unless chip_key
+          yield Operations.failure(:missing_chip_iv) unless chip_iv
+          Operations.success :here_is_your_chip_plaintext, object: decrypt_chip
+
+        rescue OpenSSL::Cipher::CipherError => exception
+          yield Operations.failure :chip_decryption_failed, object: exception.message
+        end
+
+        def decrypt_chip
+          @decrypt_chip ||= decrypt_chip!
+        end
+
+        def decrypt_chip!
+          benchmark 'Passport chip decryption' do
+            decipher = chip_digest
+            decipher.decrypt
+            decipher.key = chip_key
+            decipher.iv = chip_iv
+            plaintext = decipher.update(chip_ciphertext) + decipher.final
+            logger.debug { "Decryptied chip plaintext #{plaintext.inspect} using key #{chip_key.inspect} and iv #{chip_iv.inspect} and ciphertext #{chip_ciphertext.inspect}"}
+            plaintext
+          end
+        end
+
+        def passport_secret
+          decrypt_chip
+        end
+
+        def chip_key
+          ::SSO.config.passport_chip_key
+        end
+
+        def user_state_digest
+          ::OpenSSL::Digest.new 'sha1'
+        end
+
+        def chip_ciphertext
+          Base64.decode64 encoded_chip_ciphertext
+        end
+
+        def encoded_chip_ciphertext
+          chip_ciphertext_and_iv.first
+        end
+
+        def chip_iv
+          Base64.decode64 chip_ciphertext_and_iv.last
+        end
+
+        def encoded_chip_iv
+          chip_iv
+        end
+
+        def chip_ciphertext_and_iv
+          chip.to_s.split '|'
+        end
+
+        def chip
+          params['passport_chip']
+        end
+
+        #def warden
+        #  request.env['warden']
+        #end
+
+        def chip_digest
+          ::OpenSSL::Cipher::AES256.new :CBC
+        end
+
+        # TODO Use ActionDispatch remote IP or you might get the Load Balancer's IP instead :(
+        def ip
+          request.ip
+        end
+
+        def agent
+          request.user_agent
+        end
+
+        def device_id
+          request.params['device_id']
+        end
+
+      end
+    end
+  end
+end

data/lib/sso/client/passport.rb

@@ -2,10 +2,14 @@ module SSO
   module Client
     class Passport
 
-      attr_reader :id, :secret, :state, :user
+      attr_reader :id, :secret, :state, :user, :chip
 
-      def initialize(id:, secret:, state:, user:)
-        @id, @secret, @state, @user = id, secret, state, user
+      def initialize(id:, secret:, state:, user:, chip: nil)
+        @id     = id
+        @secret = secret
+        @state  = state
+        @user   = user
+        @chip   = chip
       end
 
       def verified!

data/lib/sso/client/passport_verifier.rb

@@ -0,0 +1,130 @@
+module SSO
+  module Client
+    class PassportVerifier
+      include ::SSO::Benchmarking
+
+      attr_reader :passport_id, :passport_state, :passport_secret, :user_ip, :user_agent, :device_id
+
+      def initialize(passport_id:, passport_state:, passport_secret:, user_ip:, user_agent: nil, device_id: nil)
+        @passport_id     = passport_id
+        @passport_state  = passport_state
+        @passport_secret = passport_secret
+        @user_ip         = user_ip
+        @user_agent      = user_agent
+        @device_id       = device_id
+      end
+
+      def call
+        get_response { |failure| return failure }
+        interpret_response
+
+      rescue JSON::ParserError
+        error { 'SSO Server response is not valid JSON.' }
+        error { response.inspect }
+      end
+
+      private
+
+      def get_response
+        yield Operations.failure(:server_unreachable, object: response)                   unless response.code == 200
+        yield Operations.failure(:server_response_not_parseable, object: response)        unless parsed_response
+        yield Operations.failure(:server_response_missing_success_flag, object: response) unless response_has_success_flag?
+        yield Operations.failure(:server_response_unsuccessful, object: response)         unless parsed_response['success'].to_s == 'true'
+        Operations.success :server_response_looks_legit
+      end
+
+      def interpret_response
+        debug { "Interpreting response code #{response_code.inspect}" }
+
+        case response_code
+        when :passpord_unmodified then Operations.success(:passport_valid)
+        when :passport_changed    then Operations.success(:passport_valid_and_modified, object: received_passport)
+        when :passport_invalid    then Operations.failure(:passport_invalid)
+        else                           Operations.failure(:unexpected_server_response_status, object: response)
+        end
+      end
+
+      def response_code
+        return :unknown_response_code if parsed_response['code'].to_s == ''
+        parsed_response['code'].to_s.to_sym
+      end
+
+      def received_passport
+        ::SSO::Client::Passport.new received_passport_attributes
+
+      rescue ArgumentError => exception
+        error { "Could not instantiate Passport from serialized response #{received_passport_attributes.inspect}" }
+        raise
+      end
+
+      def received_passport_attributes
+        attributes = parsed_response['passport']
+        attributes.keys.each do |key|
+          attributes[(key.to_sym rescue key) || key] = attributes.delete(key)
+        end
+        attributes
+      end
+
+      def params
+        { ip: user_ip, agent: user_agent, device_id: device_id, state: passport_state }
+      end
+
+      def token
+        Signature::Token.new passport_id, passport_secret
+      end
+
+      def signature_request
+        Signature::Request.new('GET', path, params)
+      end
+
+      def auth_hash
+        signature_request.sign token
+      end
+
+      def timeout_in_milliseconds
+        ::SSO.config.passport_verification_timeout_ms.to_i
+      end
+
+      def timeout_in_seconds
+        (timeout_in_milliseconds / 1000).round 2
+      end
+
+      # TODO Needs to be configurable
+      def path
+        OmniAuth::Strategies::SSO.passports_path
+      end
+
+      def base_endpoint
+        OmniAuth::Strategies::SSO.endpoint
+      end
+
+      def endpoint
+        URI.join(base_endpoint, path).to_s
+      end
+
+      def query_params
+        params.merge auth_hash
+      end
+
+      def response
+        @response ||= response!
+      end
+
+      def response!
+        debug { "Fetching Passport from #{endpoint.inspect}" }
+        benchmark 'Passport authorization request' do
+          ::HTTParty.get endpoint, timeout: timeout_in_seconds, query: query_params, headers: { 'Accept' => 'application/json' }
+        end
+      end
+
+      def parsed_response
+        response.parsed_response
+      end
+
+      def response_has_success_flag?
+        parsed_response && parsed_response.respond_to?(:key?) && parsed_response.key?('success')
+      end
+
+    end
+  end
+end

data/lib/sso/client/warden/hooks/after_fetch.rb

@@ -14,6 +14,8 @@ module SSO
           include ::SSO::Benchmarking
 
           attr_reader :passport, :warden, :options
+          delegate :request, to: :warden
+          delegate :params, to: :request
 
           def self.activate(warden_options)
             ::Warden::Manager.after_fetch(warden_options) do |passport, warden, options|
@@ -39,51 +41,47 @@ module SSO
 
           private
 
-          def verify
-            debug { "Validating Passport #{passport.id.inspect} of logged in #{passport.user.class} in scope #{warden_scope.inspect}" }
-            return server_unreachable!                   unless response.code == 200
-            return server_response_not_parseable!        unless parsed_response
-            return server_response_missing_success_flag! unless response_has_success_flag?
-            return server_response_unsuccessful!         unless parsed_response['success'].to_s == 'true'
-            verify!
 
-          rescue JSON::ParserError
-            error { 'SSO Server response is not valid JSON.' }
-            error { response.inspect }
+          def verifier
+            ::SSO::Client::PassportVerifier.new passport_id: passport.id, passport_state: passport.state, passport_secret: passport.secret, user_ip: ip, user_agent: agent, device_id: device_id
           end
 
-          def verify!
-            code = parsed_response['code'].to_s == '' ? :unknown_response_code : parsed_response['code'].to_s.to_sym
-
-            case code
-            when :passport_changed    then valid_passport_changed!
-            when :passpord_unmodified then valid_passport_remains!
-            when :passport_invalid    then invalid_passport!
-            else                           unexpected_server_response_status!
-            end
+          def verification
+            @verification ||= verifier.call
           end
 
-          def parsed_response
-            response.parsed_response
+          def verification_code
+            verification.code
           end
 
-          def response_has_success_flag?
-            parsed_response && parsed_response.respond_to?(:key?) && parsed_response.key?('success')
+          def verify
+            debug { "Validating Passport #{passport.id.inspect} of logged in #{passport.user.class} in scope #{warden_scope.inspect}" }
+
+            case verification_code
+            when :server_unreachable                    then server_unreachable!
+            when :server_response_not_parseable         then server_response_not_parseable!
+            when :server_response_missing_success_flag! then server_response_missing_success_flag!
+            when :server_response_unsuccessful!         then server_response_unsuccessful!
+            when :passport_valid                        then passport_valid!
+            when :passport_valid_and_modified           then passport_valid_and_modified!
+            when :passport_invalid                      then passport_invalid!
+            else                                             unexpected_server_response_status!
+            end
           end
 
-          def valid_passport_changed!
+          def passport_valid_and_modified!
             debug { 'Valid passport, but state changed' }
             passport.verified!
             # meter status: :valid, passport_id: user.passport_id
           end
 
-          def valid_passport_remains!
+          def passport_valid!
             debug { 'Valid passport, no changes' }
-            user.verified!
+            passport.verified!
             # meter status: :valid, passport_id: user.passport_id
           end
 
-          def invalid_passport!
+          def passport_invalid!
             info { 'Your Passport is not valid any more.' }
             warden.logout warden_scope
             # meter status: :invalid, passport_id: user.passport_id
@@ -98,79 +96,32 @@ module SSO
           end
 
           def unexpected_server_response_status!
-            error { 'SSO Server response did not include a known passport status code.' }
+            error { "SSO Server response did not include a known passport status code. #{verification_code.inspect}" }
           end
 
           def server_response_not_parseable!
             error { 'SSO Server response could not be parsed at all.' }
           end
 
-          def endpoint
-            URI.join(base_endpoint, path).to_s
-          end
-
-          def query_params
-            params.merge auth_hash
-          end
-
-          # Needs to be configurable
-          def path
-            OmniAuth::Strategies::SSO.passports_path
-          end
-
-          def base_endpoint
-            OmniAuth::Strategies::SSO.endpoint
-          end
-
           def meter(*_)
             # This will be a hook for e.g. statistics, benchmarking, etc, measure everything
           end
 
           # TODO Use ActionDispatch remote IP or you might get the Load Balancer's IP instead :(
           def ip
-            warden.request.ip
+            request.ip
           end
 
           def agent
-            warden.request.user_agent
-          end
-
-          def warden_scope
-            options[:scope]
-          end
-
-          def params
-            { ip: ip, agent: agent, state: passport.state }
-          end
-
-          def token
-            Signature::Token.new passport.id, passport.secret
-          end
-
-          def signature_request
-            Signature::Request.new('GET', path, params)
+            request.user_agent
           end
 
-          def auth_hash
-            signature_request.sign token
+          def device_id
+            params['device_id']
           end
 
-          def human_readable_timeout_in_ms
-            (timeout_in_seconds * 1000).round
-          end
-
-          def timeout_in_seconds
-            0.1.seconds
-          end
-
-          def response
-            @response ||= response!
-          end
-
-          def response!
-            benchmark 'Passport authorization request' do
-              ::HTTParty.get endpoint, timeout: timeout_in_seconds, query: query_params, headers: { 'Accept' => 'application/json' }
-            end
+          def warden_scope
+            options[:scope]
           end
 
         end

data/lib/sso/client/warden/strategies/passport.rb

@@ -0,0 +1,43 @@
+module SSO
+  module Client
+    module Warden
+      module Strategies
+        # When the iPhone presents a Passport to Alpha, this is how Alpha verifies it with Bouncer.
+        class Passport < ::Warden::Strategies::Base
+          include ::SSO::Logging
+          include ::SSO::Benchmarking
+
+          def valid?
+            params['auth_version'].to_s != '' && params['state'] != ''
+          end
+
+          def authenticate!
+            debug { 'Authenticating from Passport...' }
+
+            authentication = passport_authentication
+
+            if authentication.success?
+              debug { 'Authentication from Passport successful.' }
+              debug { "Persisting trusted Passport #{authentication.object.inspect}" }
+              success! authentication.object
+            else
+              debug { 'Authentication from Passport failed.' }
+              debug { "Responding with #{authentication.object.inspect}" }
+              custom! authentication.object
+            end
+
+          rescue => exception
+            ::SSO.config.exception_handler.call exception
+          end
+
+          def passport_authentication
+            benchmark 'Passport proxy verification' do
+              ::SSO::Client::Authentications::Passport.new(request).authenticate
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/sso/client.rb

@@ -4,5 +4,8 @@ require 'warden'
 
 require 'sso'
 require 'sso/client/passport'
+require 'sso/client/passport_verifier'
 require 'sso/client/omniauth/strategies/sso'
 require 'sso/client/warden/hooks/after_fetch'
+require 'sso/client/authentications/passport'
+require 'sso/client/warden/strategies/passport'