sso 0.1.0.alpha5 → 0.1.0.alpha6

data/lib/sso/server/authentications/passport.rb

@@ -32,8 +32,10 @@ module SSO
             return Operations.failure :invalid_signature, object: failure_rack_array
           end
 
-          debug { 'The request was properly signed, I found the corresponding passport.' }
+          debug { 'The request was properly signed, I found the corresponding passport. Updating activity...' }
           update_passport
+          debug { 'Attaching user to passport' }
+          passport.load_user!
 
           if passport.state == state
             Operations.success :signature_approved_no_changes, object: success_same_state_rack_array
@@ -44,12 +46,14 @@ module SSO
         end
 
         def check_arguments
+          debug { 'Checking arguments...' }
           yield Operations.failure :missing_verb         if verb.blank?
           yield Operations.failure :missing_passport_id  if passport_id.blank?
           yield Operations.failure :missing_state        if state.blank?
           yield Operations.failure :passport_not_found   if passport.blank?
           yield Operations.failure :passport_revoked     if passport.invalid?
-          # yield Operations.failure :user_not_encapsulated if passport.user.blank?
+          debug { 'Arguments are fine.' }
+          #yield Operations.failure :user_not_encapsulated if passport.user.blank?
           Operations.success :arguments_are_valid
         end
 
@@ -74,16 +78,24 @@ module SSO
         end
 
         def passport
-          @passport ||= backend.find_by_id passport_id
+          @passport ||= passport!
+        end
+
+        def passport!
+          return unless record = backend.find_by_id(passport_id)
+          debug { "Successfully loaded Passport #{passport_id} from database." }
+          record
         end
 
         def passport_id
           signature_request.authenticate { |passport_id| return passport_id }
+
         rescue Signature::AuthenticationError
           nil
         end
 
         def valid_signature?
+          debug { 'Checking request signature...' }
           signature_request.authenticate { Signature::Token.new passport_id, passport.secret }
           true
         rescue Signature::AuthenticationError
@@ -96,52 +108,7 @@ module SSO
         end
 
         def update_passport
-          debug { "Will update activity of Passport #{passport.id} if neccesary..." }
-          if passport.ip.to_s == ip.to_s && passport.agent.to_s == user_agent.to_s
-            debug { "No changes in IP or User Agent so I won't perform an update now..." }
-            Operations.success :already_up_to_date
-          else
-            debug { "Yes, it is necessary, updating activity of Passport #{passport.id}" }
-            passport.update_attributes ip: ip.to_s, agent: user_agent, activity_at: Time.now
-            Operations.success :passport_metadata_updated
-          end
-        end
-
-        def application
-          passport.application
-        end
-
-        def app_scopes
-          application.scopes
-        end
-
-        def insider?
-          if app_scopes.empty?
-            warn { "Doorkeeper::Application #{application.name} with ID #{application.id} has no scope restrictions. Assuming 'outsider' for now." }
-            return false
-          end
-
-          app_scopes.has_scopes? [:insider]
-        end
-
-        def ip
-          if insider?
-            params['ip']
-          else
-            request_ip
-          end
-        end
-
-        def user_agent
-          if insider?
-            params['user_agent']
-          else
-            request.user_agent
-          end
-        end
-
-        def request_ip
-          request.env['action_dispatch.remote_ip'] || fail('Whoops, I thought you were using Rails, but action_dispatch.remote_ip is empty!')
+          ::SSO::Server::Passports.update_activity passport_id: passport.id, request: request
         end
 
         def verb

data/lib/sso/server/configuration.rb

@@ -3,16 +3,13 @@ require 'logger'
 module SSO
   class Configuration
 
+    # Server
+
     def human_readable_location_for_ip
       @human_readable_location_for_ip || default_human_readable_location_for_ip
     end
     attr_writer :human_readable_location_for_ip
 
-    def exception_handler
-      @exception_handler || default_exception_handler
-    end
-    attr_writer :exception_handler
-
     def user_state_base
       @user_state_base || fail('You need to configure user_state_base, see SSO::Configuration for more info.')
     end
@@ -28,6 +25,30 @@ module SSO
     end
     attr_writer :user_state_key
 
+    # Client
+
+    def session_backend
+      @session_backend || default_session_backend
+    end
+    attr_writer :session_backend
+
+    def passport_verification_timeout_ms
+      @passport_verification_timeout_ms || default_passport_verification_timeout_ms
+    end
+    attr_writer :passport_verification_timeout_ms
+
+    # Both
+
+    def exception_handler
+      @exception_handler || default_exception_handler
+    end
+    attr_writer :exception_handler
+
+    def passport_chip_key
+      @passport_chip_key || fail('You need to configure a secret passport_chip_key, see SSO::Configuration for more info.')
+    end
+    attr_writer :passport_chip_key
+
     def logger
       @logger ||= default_logger
     end
@@ -62,7 +83,7 @@ module SSO
     end
 
     def default_exception_handler
-      proc do
+      proc do |exception|
         return unless ::SSO.config.logger
         ::SSO.config.logger.error(self.class) do
           "An internal error occured #{exception.class.name} #{exception.message} #{exception.backtrace[0..5].join(' ') if exception.backtrace}"
@@ -76,5 +97,14 @@ module SSO
       end
     end
 
+    def default_session_backend
+      fail('You need to configure session_backend, see SSO::Configuration for more info.') unless %w(developmen test).include?(environment)
+     # Moneta.new :Memory
+    end
+
+    def default_passport_verification_timeout_ms
+      100
+    end
+
   end
 end

data/lib/sso/server/doorkeeper/access_token_marker.rb

@@ -38,25 +38,25 @@ module SSO
         end
 
         def handle_authorization_grant_flow
-          # We cannot rely on session[:passport_id] here because the end-user might have cookies disabled.
-          # The only thing we can rely on to identify the user/Passport is the incoming grant token.
+          # We cannot rely on looking up session[:passport_id] here because the end-user might have cookies disabled.
+          # The only thing we can really rely on to identify the Passport is the incoming grant token.
           debug { %(Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Authorization Code Grant" flow) }
           debug { %(This Access Token belongs to "Authorization Grant Token" #{grant_token.inspect}. Augmenting related Passport with it...) }
           registration = ::SSO::Server::Passports.register_access_token_from_grant grant_token: grant_token, access_token: outgoing_access_token
 
           return if registration.success?
-          warn { 'The passport could not be augmented. Destroying warden session.' }
+          warn { 'The passport could not be augmented via the authorizaton grant. Destroying warden session.' }
           warden.logout
         end
 
         def handle_password_flow
-          local_passport_id = session[:passport_id] # <- We know this is always set because it was set in this very response
+          local_passport_id = session[:passport_id] # <- We know this always exists because it was set in this very response
           debug { %(Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Resource Owner Password Credentials Grant" flow.) }
           debug { %(Augmenting local Passport #{local_passport_id.inspect} with this outgoing Access Token...) }
-          generation = ::SSO::Server::Passports.register_access_token passport_id: local_passport_id, access_token: outgoing_access_token
+          registration = ::SSO::Server::Passports.register_access_token_from_id passport_id: local_passport_id, access_token: outgoing_access_token
 
-          return if generation.success?
-          warn { 'The passport could not be generated. Destroying warden session.' }
+          return if registration.success?
+          warn { 'The passport could not be augmented via the access token. Destroying warden session.' }
           warden.logout
         end
 

data/lib/sso/server/middleware/passport_destruction.rb

@@ -0,0 +1,40 @@
+module SSO
+  module Server
+    module Middleware
+      class PassportDestruction
+        include ::SSO::Logging
+
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          request = Rack::Request.new(env)
+
+          if !(request.delete? && request.path.start_with?(passports_path))
+            debug { "I'm not interested in this #{request.request_method.inspect} request to #{request.path.inspect} I only care for DELETE #{passports_path.inspect}" }
+            return @app.call(env)
+          end
+
+          passport_id = request.path.to_s.split('/').last
+          revocation = ::SSO::Server::Passports.logout passport_id: passport_id
+          env['warden'].logout
+
+          payload = { success: true, code: revocation.code }
+          debug { "Revoked Passport with ID #{passport_id.inspect}" }
+
+          return [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
+        end
+
+        def json_code(code)
+          [200, { 'Content-Type' => 'application/json' }, [{ success: true, code: code }.to_json]]
+        end
+
+        def passports_path
+          OmniAuth::Strategies::SSO.passports_path
+        end
+
+      end
+    end
+  end
+end

data/lib/sso/server/middleware/{passport_creation.rb → passport_exchange.rb}

@@ -1,7 +1,9 @@
 module SSO
   module Server
     module Middleware
-      class PassportCreation
+      # Hands out the Passport when presented with the corresponding Access Token.
+      #
+      class PassportExchange
         include ::SSO::Logging
 
         def initialize(app)
@@ -11,9 +13,10 @@ module SSO
         def call(env)
           request = Rack::Request.new(env)
           remote_ip = request.env['action_dispatch.remote_ip'].to_s
+          device_id = request.params['device_id']
 
           if !(request.post? && request.path == passports_path)
-            debug { "I'm not interested in this request to #{request.path}" }
+            debug { "I'm not interested in this #{request.request_method.inspect} request to #{request.path.inspect} I only care for POST #{passports_path.inspect}" }
             return @app.call(env)
           end
 
@@ -29,18 +32,19 @@ module SSO
             return json_code :access_token_invalid
           end
 
-          creation = ::SSO::Server::Passports.generate owner_id: access_token.resource_owner_id, ip: remote_ip, agent: request.user_agent
-          passport_id = creation.object
-          finding = ::SSO::Server::Passports.find(passport_id)
-
+          finding = ::SSO::Server::Passports.find_by_access_token_id(access_token.id)
           if finding.failure?
-            error { "Could not find newly generated Passport #{finding.code.inspect} - #{finding.object.inspect}"}
-            return json_code :access_token_not_attached_to_valid_passport
+            # This should never happen. Every Access Token should be connected to a Passport.
+            return json_code :passport_not_found
           end
-
           passport = finding.object
-          debug { "Attaching user to passport #{passport.inspect}" }
-          passport.user = SSO.config.find_user_for_passport.call(passport: passport, ip: remote_ip)
+
+          ::SSO::Server::Passports.update_activity passport_id: passport.id, request: request
+
+          debug { "Attaching user and chip to passport #{passport.inspect}" }
+          passport.load_user!
+          passport.create_chip!
+
           payload = { success: true, code: :here_is_your_passport, passport: passport.export }
           debug { "Created Passport #{passport.id}, sending it including user #{passport.user.inspect}}"}
 

data/lib/sso/server/middleware/passport_verification.rb

@@ -15,13 +15,13 @@ module SSO
             debug { 'Detected incoming Passport verification request.' }
             env['warden'].authenticate! :passport
           else
-            debug { "I'm not interested in this request to #{request.path}" }
+            debug { "I'm not interested in this #{request.request_method.inspect} request to #{request.path.inspect} I only care for GET #{passports_path.inspect}" }
             @app.call(env)
           end
         end
 
         def passports_path
-          OmniAuth::Strategies::SSO.passports_path
+          ::OmniAuth::Strategies::SSO.passports_path
         end
 
       end

data/lib/sso/server/passport.rb

@@ -5,23 +5,21 @@ module SSO
     # This could be MongoDB or whatever
     class Passport < ActiveRecord::Base
       include ::SSO::Logging
+      include ::SSO::Benchmarking
 
       self.table_name = 'passports'
 
       before_validation :ensure_secret
-      before_validation :ensure_group_id
       before_validation :ensure_activity_at
 
       before_save :update_location
 
-      belongs_to :application, class_name: 'Doorkeeper::Application'
-
-      validates :secret, :group_id, presence: true
+      validates :secret, presence: true
       validates :oauth_access_token_id, uniqueness: { scope: [:owner_id, :revoked_at], allow_blank: true }
       validates :revoke_reason, allow_blank: true, format: { with: /\A[a-z_]+\z/ }
-      validates :application_id, presence: true, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
 
       attr_accessor :user
+      attr_reader :chip
 
       def export
         debug { "Exporting Passport #{id} including the encapsulated user." }
@@ -29,6 +27,7 @@ module SSO
           id: id,
           secret: secret,
           state: state,
+          chip: chip,
           user: user,
         }
       end
@@ -47,19 +46,52 @@ module SSO
       end
 
       def state!
-        result = nil
-        time = Benchmark.realtime do
-          result = OpenSSL::HMAC.hexdigest user_state_digest, user_state_key, user_state_base
+        benchmark 'Passport user state calculation' do
+          OpenSSL::HMAC.hexdigest user_state_digest, user_state_key, user_state_base
+        end
+      end
+
+      def load_user!
+        @user = SSO.config.find_user_for_passport.call passport: self.reload
+      end
+
+      def create_chip!
+        @chip = chip!
+      end
+
+      def chip!
+        benchmark 'Passport chip encryption' do
+          ensure_secret
+          cipher = chip_digest
+          cipher.encrypt
+          cipher.key = chip_key
+          chip_iv = cipher.random_iv
+          ciphertext = cipher.update chip_plaintext
+          ciphertext << cipher.final
+          debug { "The Passport chip plaintext #{chip_plaintext.inspect} was encrypted using key #{chip_key.inspect} and IV #{chip_iv.inspect} and resultet in ciphertext #{ciphertext.inspect}" }
+          chip = [Base64.encode64(ciphertext).strip(), Base64.encode64(chip_iv).strip()].join('|')
+          logger.debug { "Augmented passport #{id.inspect} with chip #{chip.inspect}" }
+          chip
         end
-        debug { "The user state digest is #{result.inspect}" }
-        debug { "Calculating the user state took #{(time * 1000).round(2)}ms" }
-        result
       end
 
       def user_state_digest
         OpenSSL::Digest.new 'sha1'
       end
 
+      def chip_digest
+        OpenSSL::Cipher::AES256.new :CBC
+      end
+
+      def chip_key
+        SSO.config.passport_chip_key
+      end
+
+      # Don't get confused, the chip plaintext is the passport secret
+      def chip_plaintext
+        secret
+      end
+
       def user_state_key
         ::SSO.config.user_state_key
       end
@@ -74,10 +106,6 @@ module SSO
         self.secret ||= SecureRandom.uuid
       end
 
-      def ensure_group_id
-        self.group_id ||= SecureRandom.uuid
-      end
-
       def ensure_activity_at
         self.activity_at ||= Time.now
       end

data/lib/sso/server/passports.rb

@@ -17,10 +17,20 @@ module SSO
         Operations.failure :backend_error, object: exception
       end
 
-      def self.generate(owner_id:, ip:, agent:)
-        debug { "Generating Passport for user ID #{owner_id.inspect} and IP #{ip.inspect} and Agent #{agent.inspect}" }
+      def self.find_by_access_token_id(id)
+        record = backend.where(revoked_at: nil).find_by_oauth_access_token_id(id)
 
-        record = backend.create owner_id: owner_id, ip: ip, agent: agent, application_id: 0
+        if record
+          Operations.success(:record_found, object: record)
+        else
+          Operations.failure :record_not_found
+        end
+      end
+
+      def self.generate(owner_id:, ip:, agent:, device: nil)
+        debug { "Generating Passport for user ID #{owner_id.inspect} and IP #{ip.inspect} and Agent #{agent.inspect} and Device #{device.inspect}" }
+
+        record = backend.create owner_id: owner_id, ip: ip, agent: agent, device: device
 
         if record.persisted?
           debug { "Successfully generated passport with ID #{record.id}" }
@@ -30,6 +40,33 @@ module SSO
         end
       end
 
+      def self.update_activity(passport_id:, request:)
+        record = find_valid_passport(passport_id) { |failure| return failure }
+
+        immediate_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
+        if record.insider?
+          proxied_ip = request['ip']
+          unless proxied_ip
+            warn { "There should have been a proxied IP param, but there was none. I will use the immediare IP #{immediate_ip} now." }
+            proxied_ip = immediate_ip
+          end
+          attributes = { ip: proxied_ip, agent: request['agent'], device: request['device_id'] }
+        else
+          attributes = { ip: immediate_ip, agent: request.user_agent, device: request.params['device_id'] }
+        end
+        attributes.merge! activity_at: Time.now
+
+        record.stamps ||= {}  # <- Not thread-safe, this may potentially delete all existing stamps, I guess
+        record.stamps[attributes[:ip]] = Time.now.to_i
+
+        debug { "Updating activity of #{record.insider? ? :insider : :outsider} Passport #{passport_id.inspect} using IP #{attributes[:ip]} agent #{attributes[:agent]} and device #{attributes[:device]}" }
+        if record.update_attributes(attributes)
+          Operations.success :passport_metadata_updated
+        else
+          Operations.failure :could_not_update_passport_activity, object: record.errors.to_hash
+        end
+      end
+
       def self.register_authorization_grant(passport_id:, token:)
         record       = find_valid_passport(passport_id) { |failure| return failure }
         access_grant = find_valid_access_grant(token)   { |failure| return failure }
@@ -47,7 +84,9 @@ module SSO
         access_token = find_valid_access_token(access_token)            { |failure| return failure }
         record       = find_valid_passport_by_grant_id(access_grant.id) { |failure| return failure }
 
-        if record.update_attribute :oauth_access_token_id, access_token.id
+        is_insider = access_token.scopes.include? 'insider'
+
+        if record.update_attributes oauth_access_token_id: access_token.id, insider: is_insider
           debug { "Successfully augmented Passport #{record.id} with Access Token ID #{access_token.id} which is #{access_token.token}" }
           Operations.success :passport_known_by_grant_augmented_with_access_token
         else
@@ -55,31 +94,33 @@ module SSO
         end
       end
 
-      def self.register_access_token(passport_id:, access_token:)
+      def self.register_access_token_from_id(passport_id:, access_token:)
         access_token = find_valid_access_token(access_token) { |failure| return failure }
         record       = find_valid_passport(passport_id)      { |failure| return failure }
 
-        if record.update_attribute :oauth_access_token_id, access_token.id
-          debug { "Successfully augmented Passport #{record.id} with Access Token ID #{access_token.id} which is #{access_token.token}" }
+        is_insider = access_token.scopes.include? 'insider'
+
+        if record.update_attributes oauth_access_token_id: access_token.id, insider: is_insider
+          debug { "Successfully augmented #{is_insider ? :insider : :outsider} Passport #{record.id} with Access Token ID #{access_token.id} which is #{access_token.token}" }
           Operations.success :passport_augmented_with_access_token
         else
           Operations.failure :could_not_augment_passport_with_access_token
         end
       end
 
-      def self.logout(passport_id:, provider_passport_id:)
-        if passport_id.present? || provider_passport_id.present?
-          debug { "Attemting to logout Passport groups of Passport IDs #{passport_id.inspect} and #{provider_passport_id.inspect}..." }
-        else
-          debug { "Should logout Passport groups now, but don't know which ones. Moving on..." }
-          return Operations.success :nothing_to_revoke_from
-        end
+      def self.logout(passport_id:)
+        return Operations.failure(:missing_passport_id) if passport_id.blank?
 
-        count = 0
-        count += logout_cluster(passport_id) if passport_id.present?
-        count += logout_cluster(provider_passport_id) if provider_passport_id.present?
+        debug { "Logging out Passport with ID #{passport_id.inspect}" }
+        record = backend.find_by_id passport_id
+        return Operations.success(:passport_does_not_exist) unless record
+        return Operations.success(:passport_already_revoked) if record.revoked_at
 
-        Operations.success :passports_revoked, object: count
+        if record.update_attributes revoked_at: Time.now, revoke_reason: :logout
+          Operations.success :passport_revoked
+        else
+          Operations.failure :backend_could_not_revoke_passport
+        end
       end
 
       private
@@ -89,7 +130,6 @@ module SSO
         return record if record
 
         debug { "Could not find valid passport with ID #{id.inspect}" }
-        debug { "All I have is #{backend.all.inspect}" }
         yield Operations.failure :passport_not_found if block_given?
         nil
       end
@@ -127,18 +167,6 @@ module SSO
         end
       end
 
-      def self.logout_cluster(passport_id)
-        unless passport_id.present? && record = backend.find_by_id(passport_id)
-          debug { "Cannot revoke Passport group of Passport ID #{passport_id.inspect} because it does not exist." }
-          return 0
-        end
-
-        debug { "Revoking Passport group #{record.group_id.inspect} of Passport ID #{passport_id.inspect}" }
-        affected_row_count = backend.where(group_id: record.group_id).update_all revoked_at: Time.now, revoke_reason: :logout
-        debug { "Successfully revoked #{affected_row_count.inspect} Passports." }
-        affected_row_count
-      end
-
       def self.backend
         ::SSO::Server::Passport
       end

data/lib/sso/server/warden/hooks/after_authentication.rb

@@ -27,7 +27,7 @@ module SSO
             request = warden.request
             session = warden.env['rack.session']
 
-            debug { "Generating a passport for user #{user.id.inspect} for the session cookie at the SSO server..." }
+            debug { "Generating a passport for user #{user.id.inspect} for the session with the SSO server..." }
             attributes = { owner_id: user.id, ip: request.ip, agent: request.user_agent }
 
             generation = SSO::Server::Passports.generate attributes

data/lib/sso/server/warden/hooks/before_logout.rb

@@ -26,7 +26,7 @@ module SSO
 
           def call
             debug { 'Before warden destroys the passport in the cookie, it will revoke all connected Passports as well.' }
-            revoking = Passports.logout passport_id: params['passport_id'], provider_passport_id: session['passport_id']
+            revoking = Passports.logout passport_id: params['passport_id']
 
             error { 'Could not revoke the Passports.' } if revoking.failure?
             debug { 'Finished.' }

data/lib/sso/server/warden/strategies/passport.rb

@@ -4,6 +4,7 @@ module SSO
       module Strategies
         class Passport < ::Warden::Strategies::Base
           include ::SSO::Logging
+          include ::SSO::Benchmarking
 
           def valid?
             params['auth_version'].to_s != '' && params['state'] != ''
@@ -12,12 +13,7 @@ module SSO
           def authenticate!
             debug { 'Authenticating from Passport...' }
 
-            authentication = nil
-            time = Benchmark.realtime do
-              authentication = ::SSO::Server::Authentications::Passport.new(request).authenticate
-            end
-
-            info { "The Passport verification took #{(time * 1000).round}ms" }
+            authentication = passport_authentication
 
             if authentication.success?
               debug { 'Authentication from Passport successful.' }
@@ -32,6 +28,12 @@ module SSO
             ::SSO.config.exception_handler.call exception
           end
 
+          def passport_authentication
+            benchmark 'Passport verification' do
+              ::SSO::Server::Authentications::Passport.new(request).authenticate
+            end
+          end
+
         end
       end
     end

data/lib/sso/server.rb

@@ -11,13 +11,12 @@ require 'sso/server/errors'
 require 'sso/server/passport'
 require 'sso/server/passports'
 require 'sso/server/geolocations'
-require 'sso/server/configuration'
-require 'sso/server/configure'
 require 'sso/server/engine'
 
 require 'sso/server/authentications/passport'
 require 'sso/server/middleware/passport_verification'
-require 'sso/server/middleware/passport_creation'
+require 'sso/server/middleware/passport_destruction'
+require 'sso/server/middleware/passport_exchange'
 
 require 'sso/server/warden/hooks/after_authentication'
 require 'sso/server/warden/hooks/before_logout'

data/spec/dummy/app/controllers/sessions_controller.rb

@@ -16,7 +16,7 @@ class SessionsController < ApplicationController
     warden.authenticate! :password
 
     if session[:return_path]
-      debug { "Sending tou back to #{session[:return_path]}" }
+      debug { "Sending you back to #{session[:return_path]}" }
       redirect_to session[:return_path]
       session[:return_path] = nil
     else

data/spec/dummy/config/application.rb

@@ -32,5 +32,11 @@ module Dummy
       manager.serialize_from_session { |id| User.find_by_id(id) }
     end
 
+    config.middleware.insert_after ::Warden::Manager, ::SSO::Server::Middleware::PassportVerification
+    config.middleware.insert_after ::Warden::Manager, ::SSO::Server::Middleware::PassportDestruction
+    config.middleware.insert_after ::Warden::Manager, ::SSO::Server::Middleware::PassportExchange
+    config.middleware.insert_after ::Warden::Manager, ::SSO::Server::Doorkeeper::GrantMarker
+    config.middleware.insert_after ::Warden::Manager, ::SSO::Server::Doorkeeper::AccessTokenMarker
+
   end
 end