sso 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3427c7a74fc824e4a590aae4dedb206cd0c3f89c
-  data.tar.gz: 13355ce7e47c5088774fc5608b453dee91578136
+  metadata.gz: 5e1f2feee69f64105e38a748befeebe0de6d33a5
+  data.tar.gz: c0637201a0d104c075dc7c049eef0d9f381e0596
 SHA512:
-  metadata.gz: 976e470dbb0a78ac0184a6a5d4381af04008cf158516d4b9106b08ad3eb2865257e6da196ba4affdd4e2318e50bb1f4aeed67e5b8fd6c47c4b2a8bfe1c96b5ff
-  data.tar.gz: c4cf08a461736d1df4ff3ff88a69fa6c424354cfe1739d6e561839b3f7f9798484cc75b86e20e48f0d7556441e4bb71757c033efd0deb0dbafcdb7868392fd18
+  metadata.gz: 3fbaa085b9054c762040a7a91f19999ce4a7745b388c431ff754f7b7c23ffc6ac21e15f8bc3cfeb995dd8803682cd363117f13577ccd4c7ddb24647f96a179db
+  data.tar.gz: 336dfa7ce8ee44a663fe2a8678c67966f021f4a2927fded0d239333877e9043e9fead2c503f1296d2df54b225e913cfbfed669d43ad612e3a9921679a710c346

data/lib/sso/client/authentications/passport.rb

@@ -127,7 +127,7 @@ module SSO
             decipher.key = chip_key
             decipher.iv = chip_iv
             plaintext = decipher.update(chip_ciphertext) + decipher.final
-            logger.debug { "Decryptied chip plaintext #{plaintext.inspect} using key #{chip_key.inspect} and iv #{chip_iv.inspect} and ciphertext #{chip_ciphertext.inspect}" }
+            logger.debug { "Decrypted chip plaintext #{plaintext.inspect} using key #{chip_key.inspect} and iv #{chip_iv.inspect} and ciphertext #{chip_ciphertext.inspect}" }
             plaintext
           end
         end

data/lib/sso/client/passport_verifier.rb

@@ -52,7 +52,7 @@ module SSO
       def received_passport
         ::SSO::Client::Passport.new received_passport_attributes
 
-      rescue ArgumentError => exception
+      rescue ArgumentError
         error { "Could not instantiate Passport from serialized response #{received_passport_attributes.inspect}" }
         raise
       end
@@ -66,7 +66,25 @@ module SSO
       end
 
       def params
-        { ip: user_ip, agent: user_agent, device_id: device_id, state: passport_state }
+        result = { ip: user_ip, agent: user_agent, device_id: device_id, state: passport_state }
+        result.merge! insider_id: insider_id, insider_signature: insider_signature
+        result
+      end
+
+      def insider_id
+        ::SSO.config.oauth_client_id
+      end
+
+      def insider_secret
+        ::SSO.config.oauth_client_secret
+      end
+
+      def insider_signature
+        ::OpenSSL::HMAC.hexdigest signature_digest, insider_secret, user_ip
+      end
+
+      def signature_digest
+        OpenSSL::Digest.new 'sha1'
       end
 
       def token
@@ -89,7 +107,7 @@ module SSO
         (timeout_in_milliseconds / 1000).round 2
       end
 
-      # TODO Needs to be configurable
+      # TODO: Needs to be configurable
       def path
         OmniAuth::Strategies::SSO.passports_path
       end

data/lib/sso/client/warden/hooks/after_fetch.rb

@@ -109,7 +109,7 @@ module SSO
             # This will be a hook for e.g. statistics, benchmarking, etc, measure everything
           end
 
-          # TODO Use ActionDispatch remote IP or you might get the Load Balancer's IP instead :(
+          # TODO: Use ActionDispatch remote IP or you might get the Load Balancer's IP instead :(
           def ip
             request.ip
           end

data/lib/sso/server.rb

@@ -10,6 +10,7 @@ require 'sso'
 require 'sso/server/errors'
 require 'sso/server/passport'
 require 'sso/server/passports'
+require 'sso/server/passports/activity'
 require 'sso/server/engine'
 
 require 'sso/server/authentications/passport'

data/lib/sso/server/authentications/passport.rb

@@ -54,7 +54,6 @@ module SSO
           yield Operations.failure :passport_not_found   if passport.blank?
           yield Operations.failure :passport_revoked     if passport.invalid?
           debug { 'Arguments are fine.' }
-          #yield Operations.failure :user_not_encapsulated if passport.user.blank?
           Operations.success :arguments_are_valid
         end
 
@@ -83,7 +82,8 @@ module SSO
         end
 
         def passport!
-          return unless record = backend.find_by_id(passport_id)
+          record = backend.find_by_id(passport_id)
+          return unless record
           debug { "Successfully loaded Passport #{passport_id} from database." }
           record
         end

data/lib/sso/server/configuration.rb

@@ -37,6 +37,16 @@ module SSO
     end
     attr_writer :passport_verification_timeout_ms
 
+    def oauth_client_id
+      @oauth_client_id || fail('You need to configure the oauth_client_id, see SSO::Configuration for more info.')
+    end
+    attr_writer :oauth_client_id
+
+    def oauth_client_secret
+      @oauth_client_secret || fail('You need to configure the oauth_client_secret, see SSO::Configuration for more info.')
+    end
+    attr_writer :oauth_client_secret
+
     # Both
 
     def exception_handler
@@ -89,13 +99,13 @@ module SSO
       proc do |exception|
         return unless ::SSO.config.logger
         ::SSO.config.logger.error(self.class) do
-          "An internal error occured #{exception.class.name} #{exception.message} #{exception.backtrace[0..5].join(' ') if exception.backtrace}"
+          "An internal error occurred #{exception.class.name} #{exception.message} #{exception.backtrace[0..5].join(' ') if exception.backtrace}"
         end
       end
     end
 
     def default_human_readable_location_for_ip
-      proc do |ip|
+      proc do
         'Unknown'
       end
     end

data/lib/sso/server/middleware/passport_destruction.rb

@@ -11,7 +11,7 @@ module SSO
         def call(env)
           request = Rack::Request.new(env)
 
-          if !(request.delete? && request.path.start_with?(passports_path))
+          unless request.delete? && request.path.start_with?(passports_path)
             debug { "I'm not interested in this #{request.request_method.inspect} request to #{request.path.inspect} I only care for DELETE #{passports_path.inspect}" }
             return @app.call(env)
           end

data/lib/sso/server/middleware/passport_exchange.rb

@@ -12,10 +12,8 @@ module SSO
 
         def call(env)
           request = Rack::Request.new(env)
-          remote_ip = request.env['action_dispatch.remote_ip'].to_s
-          device_id = request.params['device_id']
 
-          if !(request.post? && request.path == passports_path)
+          unless request.post? && request.path == passports_path
             debug { "I'm not interested in this #{request.request_method.inspect} request to #{request.path.inspect} I only care for POST #{passports_path.inspect}" }
             return @app.call(env)
           end
@@ -24,13 +22,8 @@ module SSO
           debug { "Detected incoming Passport creation request for access token #{token.inspect}" }
           access_token = ::Doorkeeper::AccessToken.find_by_token token
 
-          unless access_token
-            return json_code :access_token_not_found
-          end
-
-          unless access_token.valid?
-            return json_code :access_token_invalid
-          end
+          return json_code :access_token_not_found unless access_token
+          return json_code :access_token_invalid unless access_token.valid?
 
           finding = ::SSO::Server::Passports.find_by_access_token_id(access_token.id)
           if finding.failure?

data/lib/sso/server/passport.rb

@@ -71,7 +71,7 @@ module SSO
           ciphertext = cipher.update chip_plaintext
           ciphertext << cipher.final
           debug { "The Passport chip plaintext #{chip_plaintext.inspect} was encrypted using key #{chip_key.inspect} and IV #{chip_iv.inspect} and resultet in ciphertext #{ciphertext.inspect}" }
-          chip = [Base64.encode64(ciphertext).strip(), Base64.encode64(chip_iv).strip()].join('|')
+          chip = [Base64.encode64(ciphertext).strip, Base64.encode64(chip_iv).strip].join('|')
           logger.debug { "Augmented passport #{id.inspect} with chip #{chip.inspect}" }
           chip
         end

data/lib/sso/server/passports.rb

@@ -43,28 +43,7 @@ module SSO
       def self.update_activity(passport_id:, request:)
         record = find_valid_passport(passport_id) { |failure| return failure }
 
-        immediate_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
-        if record.insider?
-          proxied_ip = request['ip']
-          unless proxied_ip
-            warn { "There should have been a proxied IP param, but there was none. I will use the immediare IP #{immediate_ip} now." }
-            proxied_ip = immediate_ip
-          end
-          attributes = { ip: proxied_ip, agent: request['agent'], device: request['device_id'] }
-        else
-          attributes = { ip: immediate_ip, agent: request.user_agent, device: request.params['device_id'] }
-        end
-        attributes.merge! activity_at: Time.now
-
-        record.stamps ||= {}  # <- Not thread-safe, this may potentially delete all existing stamps, I guess
-        record.stamps[attributes[:ip]] = Time.now.to_i
-
-        debug { "Updating activity of #{record.insider? ? :insider : :outsider} Passport #{passport_id.inspect} using IP #{attributes[:ip]} agent #{attributes[:agent]} and device #{attributes[:device]}" }
-        if record.update_attributes(attributes)
-          Operations.success :passport_metadata_updated
-        else
-          Operations.failure :could_not_update_passport_activity, object: record.errors.to_hash
-        end
+        ::SSO::Server::Passports::Activity.new(passport: record, request: request).call
       end
 
       def self.register_authorization_grant(passport_id:, token:)

data/lib/sso/server/passports/activity.rb

@@ -0,0 +1,92 @@
+module SSO
+  module Server
+    module Passports
+      class Activity
+        include ::SSO::Logging
+
+        attr_reader :passport, :request
+
+        def initialize(passport:, request:)
+          @passport = passport
+          @request = request
+        end
+
+        def call
+          if passport.insider? || trusted_proxy_app?
+            proxied_ip = request['ip']
+            unless proxied_ip
+              warn { "There should have been a proxied IP param, but there was none. I will use the immediate IP #{immediate_ip} now." }
+              proxied_ip = immediate_ip
+            end
+            attributes = { ip: proxied_ip, agent: request['agent'], device: request['device_id'] }
+          else
+            attributes = { ip: immediate_ip, agent: request.user_agent, device: request['device_id'] }
+          end
+          attributes.merge! activity_at: Time.now
+
+          passport.stamps ||= {}  # <- Not thread-safe, this may potentially delete all existing stamps, I guess
+          passport.stamps[attributes[:ip]] = Time.now.to_i
+
+          debug { "Updating activity of #{passport.insider? ? :insider : :outsider} Passport #{passport.id.inspect} using IP #{attributes[:ip]} agent #{attributes[:agent]} and device #{attributes[:device]}" }
+          if passport.update_attributes(attributes)
+            Operations.success :passport_metadata_updated
+          else
+            Operations.failure :could_not_update_passport_activity, object: passport.errors.to_hash
+          end
+        end
+
+        def trusted_proxy_app?
+          unless insider_id
+            debug { 'This is an immediate request because there is no insider_id param' }
+            return
+          end
+
+          unless insider_signature
+            debug { 'This is an immediate request because there is no insider_signature param' }
+            return
+          end
+
+          application = ::Doorkeeper::Application.find_by_id(insider_id)
+          unless application
+            warn { 'The insider_id param does not correspond to an existing Doorkeeper Application' }
+            return
+          end
+
+          unless application.scopes.include?('insider')
+            warn { 'The Doorkeeper Application belonging to this insider_id param is considered an outsider' }
+            return
+          end
+
+          expected_signature = ::OpenSSL::HMAC.hexdigest signature_digest, application.secret, proxied_ip
+          unless insider_signature == expected_signature
+            warn { "The insider signature #{insider_signature.inspect} does not match my expectation #{expected_signature.inspect}" }
+            return
+          end
+
+          debug { 'This is a proxied request because insider_id and insider_signature are valid' }
+          true
+        end
+
+        def signature_digest
+          OpenSSL::Digest.new 'sha1'
+        end
+
+        def proxied_ip
+          request['ip']
+        end
+
+        def insider_id
+          request['insider_id']
+        end
+
+        def insider_signature
+          request['insider_signature']
+        end
+
+        def immediate_ip
+          request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
+        end
+      end
+    end
+  end
+end

data/spec/lib/sso/client/authentications/passport_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-RSpec.describe SSO::Client::Authentications::Passport, type: :request, db: true do
+RSpec.describe SSO::Client::Authentications::Passport, type: :request, db: true, reveal_exceptions: true do
 
   # Untrusted Client
   let(:request_method)    { 'GET' }
@@ -31,12 +31,15 @@ RSpec.describe SSO::Client::Authentications::Passport, type: :request, db: true
   let(:passport_chip)   { server_passport.chip! }
 
   # Server
+  let(:oauth_client)     { create :outsider_doorkeeper_application }
   let(:insider)          { false }
   let(:server_user)      { create :user, name: 'Emily', tags: %i(cool nice) }
   let!(:server_passport) { create :passport, user: server_user, owner_id: server_user.id, ip: ip, agent: agent, insider: insider }
 
   before do
     SSO.config.passport_chip_key = SecureRandom.hex
+    SSO.config.oauth_client_id = oauth_client.id
+    SSO.config.oauth_client_secret = oauth_client.secret
   end
 
   context 'no changes' do
@@ -57,16 +60,26 @@ RSpec.describe SSO::Client::Authentications::Passport, type: :request, db: true
         expect(passport).to be_modified
       end
 
-      it 'tracks the immediate request IP' do
-        expect(server_passport.reload.ip).to eq '127.0.0.1'
-      end
-
       it 'attaches the user attributes to the passport' do
         expect(passport.user).to be_instance_of Hash
         expect(passport.user['name']).to eq 'Emily'
         expect(passport.user['email']).to eq 'emily@example.com'
         expect(passport.user['tags'].sort).to eq %w(cool is_working_from_home nice).sort
       end
+
+      context 'outsider oauth client' do
+        it 'tracks the immediate request IP' do
+          expect(server_passport.reload.ip).to eq '127.0.0.1'
+        end
+      end
+
+      context 'insider oauth client' do
+        let(:oauth_client) { create :insider_doorkeeper_application }
+
+        it 'tracks the untrusted client IP' do
+          expect(server_passport.reload.ip).to eq ip
+        end
+      end
     end
 
     context 'insider passport' do

data/spec/lib/sso/client/warden/hooks/after_fetch_spec.rb

@@ -27,6 +27,8 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
     # The server dynamically injects some tags. In order to calculate the user state correctly in our test setup,
     # We need to "simulate" what the tags will look like once the server modified them. No big problem.
     allow(server_user).to receive(:tags).and_return %w(wears_glasses is_working_from_home never_gives_up)
+    SSO.config.oauth_client_id = SecureRandom.hex
+    SSO.config.oauth_client_secret = SecureRandom.hex
   end
 
   context 'invalid passport' do

data/spec/spec_helper.rb

@@ -44,8 +44,16 @@ RSpec.configure do |config|
     DatabaseCleaner.start
   end
 
+  config.before :each, reveal_exceptions: true do
+    SSO.config.exception_handler = proc { |exception| fail exception }
+  end
+
   config.after :each do
     Timecop.return
+    SSO.config.exception_handler = nil
+    SSO.config.passport_chip_key = nil
+    SSO.config.oauth_client_id = nil
+    SSO.config.oauth_client_secret = nil
   end
 
   config.after :each, db: true do

data/spec/support/sso/test/helpers.rb

@@ -5,8 +5,8 @@ module SSO
     module Helpers
 
       # Inspired by Warden::Spec::Helpers
-      def env_with_params(path = "/", params = {}, env = {})
-        method = params.delete(:method) || "GET"
+      def env_with_params(path = '/', params = {}, env = {})
+        method = params.delete(:method) || 'GET'
         env = { 'HTTP_VERSION' => '1.1', 'REQUEST_METHOD' => "#{method}" }.merge(env)
         Rack::MockRequest.env_for "#{path}?#{Rack::Utils.build_query(params)}", env
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sso
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - halo
@@ -281,6 +281,7 @@ files:
 - lib/sso/server/middleware/passport_verification.rb
 - lib/sso/server/passport.rb
 - lib/sso/server/passports.rb
+- lib/sso/server/passports/activity.rb
 - lib/sso/server/warden/hooks/after_authentication.rb
 - lib/sso/server/warden/hooks/before_logout.rb
 - lib/sso/server/warden/strategies/passport.rb