sso 0.1.0.alpha1 → 0.1.0.alpha2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 502a677d0dbb1abcd9a531c018bd095e6fa2fe5e
-  data.tar.gz: f7e1c5290d4ea845680b4c82272e391958a36889
+  metadata.gz: dcd7cedda8e78677b8c5ea0eff1a558659daa1c1
+  data.tar.gz: 79fe0ceb4869c29d8a1cf886018816e76ca0d616
 SHA512:
-  metadata.gz: 3c9f9227968a527cd8fb844ee69bacfb92041b10fc47f1937b9a578d79b1b286b83ccdc9a57183173a5637d3e093b81e4ce59a0edd5f61cf60d880264973d719
-  data.tar.gz: 8909701cee344d1cfb73d1e2549816a74cd580ddbd108d87ebf4c9495d9aafc93edd7eecfd66ba5e18919c2a66018636fa02543392fc23ac5c3a6e75521095e0
+  metadata.gz: 755b13e0c16bc4824e1c2bf33a0adc5a4a5078367ad0efccca69d7efc9295c44909722df80b73ca7d65bbc059f744bcf57715aa731c1d9e49a6df845e6c7957a
+  data.tar.gz: 5237534c2a282e8fb04cffe903774526c16f347f40b9dff1e3a8f73bd1eefd09fdcb74c922a148516b4bc8a9d9cbe946c037dafd6eea0143e221b2e9ff40a260

data/lib/sso/benchmarking.rb

@@ -0,0 +1,14 @@
+module SSO
+  module Benchmarking
+    include ::SSO::Logging
+
+    def benchmark(name, &block)
+      result = nil
+      seconds = Benchmark.realtime do
+        result = block.call
+      end
+      info { "#{name} took #{(seconds * 1000).round}ms" }
+      result
+    end
+  end
+end

data/lib/sso/client.rb

@@ -0,0 +1,7 @@
+require 'httparty'
+require 'signature'
+require 'warden'
+
+require 'sso/client/passport'
+require 'sso/client/omniauth/strategies/sso'
+require 'sso/client/warden/hooks/after_fetch'

data/lib/sso/client/README.md

@@ -0,0 +1,92 @@
+# Setting up an SSO client
+
+## Assumptions
+
+* You have a rack app (e.g. Rails)
+* You are not going to have a database table with users in your OAuth Clients. That information is only available in the [Rails OAuth server](https://github.com/halo/sso/blob/master/lib/sso/server/README.md).
+* To avoid implementing your own solutions, you should use `warden.user` to persist your user in the session in the OAuth rails clients. It is no problem to use warden scopes here in the client.
+
+## How it works
+
+#### Trusted OAuth clients
+
+* A trusted OAuth client, let's call it `Alpha`, uses the `Authorization Code Grant` to obtain an OAuth `access_token` with the OAuth permission scope `insider`.
+* The browser of the end user actually "visits" `Bouncer` for the login. That's where the user is persisted into the session. And that's where a passport is created for the user. So basically, through the OAuth server cookie, the SSO session is tied together. As long as it is there, you are logged in (in that browser e.g.).
+
+#### Unstrusted OAuth clients
+
+* A public OAuth Client, such as an `iPhone`, uses the `Resource Owner Password Credentials Grant` to exchange the `username` and `password` of the end user for an OAuth `access_token` with the OAuth permission scope `outsider`.
+* You exchange the `access_token` for a passport token. That is effectively your API token used to communicate with the OAuth Rails clients.
+* The OAuth Rails clients verify that token with the OAuth server at every request.
+* In effect, this turns your iPhone app into a Browser, technically not an OAuth Client.
+
+#### Also good to know
+
+* If the passport verification request times out (like 100ms), the authentication/authorization of the previous request is assumed to still be valid.
+
+## Setup (trusted client)
+
+#### Add the gem to your Gemfile
+
+```ruby
+# Gemfile
+gem 'sso', require: 'sso/client'
+```
+
+#### Make sure you activated the Warden middleware provided by the `warden` gem
+
+See [the Warden wiki](https://github.com/hassox/warden/wiki/Setup)
+
+#### Set the URL to the SSO Server
+
+See [also this piece of code](https://github.com/halo/sso/blob/master/lib/sso/client/omniauth/strategies/sso.rb#L7-L17).
+
+```bash
+OMNIAUTH_SSO_ENDPOINT="http://server.example.com"
+```
+
+#### Setup your login logic
+
+Rails Example:
+
+```ruby
+class SessionsController < ApplicationController
+  delegate :logout, to: :warden
+
+  def new
+    redirect_to '/auth/sso'
+  end
+
+  def create
+    warden.set_user auth_hash.info.to_hash
+    redirect_to root_path
+  end
+
+  def destroy
+    warden.logout
+  end
+
+  private
+
+  def auth_hash
+    request.env['omniauth.auth]
+  end
+
+  def warden
+    request.env['warden']
+  end
+
+end
+````
+
+#### Activate the middleware
+
+This is done by making use of [Warden callbacks](https://github.com/hassox/warden/wiki/Callbacks). See [this piece of code](https://github.com/halo/sso/blob/master/lib/sso/client/warden/hooks/after_fetch.rb#L18-L22).
+
+```ruby
+# e.g. config/initializers/warden.rb
+# The options are passed on to `::Warden::Manager.after_fetch`
+SSO::Client::Warden::Hooks::AfterFetch.activate scope: :vip
+``
+#### Profit
+

data/lib/sso/client/omniauth/strategies/sso.rb

@@ -0,0 +1,58 @@
+require 'omniauth-oauth2'
+
+module OmniAuth
+  module Strategies
+    class SSO < OmniAuth::Strategies::OAuth2
+
+      def self.endpoint
+        if ENV['OMNIAUTH_SSO_ENDPOINT'].to_s != ''
+          ENV['OMNIAUTH_SSO_ENDPOINT'].to_s
+        elsif development_environment?
+          ENV['OMNIAUTH_SSO_ENDPOINT'] || 'http://sso.dev:8080'
+        elsif test_environment?
+          'https://sso.example.com'
+        else
+          fail 'You must set OMNIAUTH_SSO_ENDPOINT to point to the SSO OAuth server'
+        end
+      end
+
+      def self.development_environment?
+        defined?(Rails) && Rails.env.development?
+      end
+
+      def self.test_environment?
+        defined?(Rails) && Rails.env.test? || ENV['RACK_ENV'] == 'test'
+      end
+
+      def self.passports_path
+        if ENV['OMNIAUTH_SSO_PASSPORTS_PATH'].to_s != ''
+          ENV['OMNIAUTH_SSO_PASSPORTS_PATH'].to_s
+        else
+          # We know this namespace is not occupied because /oauth is owned by Doorkeeper
+          '/oauth/sso/v1/passports'
+        end
+      end
+
+      option :name, :sso
+      option :client_options, site: endpoint, authorize_path: '/oauth/authorize'
+
+      uid { raw_info['id'] if raw_info }
+
+      info do
+        {
+          # Passport
+          id:     uid,
+          state:  raw_info['state'],
+          secret: raw_info['secret'],
+          user:   raw_info['user'],
+        }
+      end
+
+      def raw_info
+        params = { ip: request.ip, agent: request.user_agent }
+        @raw_info ||= access_token.post(self.class.passports_path, params: params).parsed
+      end
+
+    end
+  end
+end

data/lib/sso/client/passport.rb

@@ -0,0 +1,25 @@
+module SSO
+  module Client
+    class Passport
+
+      attr_reader :id, :secret, :state, :user
+
+      def initialize(id:, secret:, state:, user:)
+        @id, @secret, @state, @user = id, secret, state, user
+      end
+
+      def verified!
+        @verified = true
+      end
+
+      def verified?
+        @verified == true
+      end
+
+      def unverified?
+        !verified?
+      end
+
+    end
+  end
+end

data/lib/sso/client/warden/hooks/after_fetch.rb

@@ -0,0 +1,179 @@
+module SSO
+  module Client
+    module Warden
+      module Hooks
+        # This is a helpful `Warden::Manager.after_fetch` hook for Alpha and Beta.
+        # Whenever Carol is fetched out of the session, we also verify her passport.
+        #
+        # Usage:
+        #
+        #   SSO::Client::Warden::Hooks::AfterFetch.activate scope: :vip
+        #
+        class AfterFetch
+          include ::SSO::Logging
+          include ::SSO::Benchmarking
+
+          attr_reader :passport, :warden, :options
+
+          def self.activate(warden_options)
+            ::Warden::Manager.after_fetch(warden_options) do |passport, warden, options|
+              ::SSO::Client::Warden::Hooks::AfterFetch.new(passport: passport, warden: warden, options: options).call
+            end
+          end
+
+          def initialize(passport:, warden:, options:)
+            @passport, @warden, @options = passport, warden, options
+          end
+
+          def call
+            return unless passport.is_a?(::SSO::Client::Passport)
+            verify
+
+          rescue Timeout::Error
+            error { 'SSO Server timed out. Continuing with last known authentication/authorization...' }
+            # meter status: :timeout, scope: scope, passport_id: user.passport_id, timeout_ms: human_readable_timeout_in_ms
+
+          rescue => exception
+            ::SSO.config.exception_handler.call exception
+          end
+
+          private
+
+          def verify
+            debug { "Validating Passport #{passport.id.inspect} of logged in #{passport.user.class} in scope #{warden_scope.inspect}" }
+            return server_unreachable!                   unless response.code == 200
+            return server_response_not_parseable!        unless parsed_response
+            return server_response_missing_success_flag! unless response_has_success_flag?
+            return server_response_unsuccessful!         unless parsed_response['success'].to_s == 'true'
+            verify!
+
+          rescue JSON::ParserError
+            error { 'SSO Server response is not valid JSON.' }
+            error { response.inspect }
+          end
+
+          def verify!
+            code = parsed_response['code'].to_s == '' ? :unknown_response_code : parsed_response['code'].to_s.to_sym
+
+            case code
+            when :passport_changed    then valid_passport_changed!
+            when :passpord_unmodified then valid_passport_remains!
+            when :passport_invalid    then invalid_passport!
+            else                           unexpected_server_response_status!
+            end
+          end
+
+          def parsed_response
+            response.parsed_response
+          end
+
+          def response_has_success_flag?
+            parsed_response && parsed_response.respond_to?(:key?) && parsed_response.key?('success')
+          end
+
+          def valid_passport_changed!
+            debug { 'Valid passport, but state changed' }
+            passport.verified!
+            # meter status: :valid, passport_id: user.passport_id
+          end
+
+          def valid_passport_remains!
+            debug { 'Valid passport, no changes' }
+            user.verified!
+            # meter status: :valid, passport_id: user.passport_id
+          end
+
+          def invalid_passport!
+            info { 'Your Passport is not valid any more.' }
+            warden.logout warden_scope
+            # meter status: :invalid, passport_id: user.passport_id
+          end
+
+          def server_unreachable!
+            error { "SSO Server responded with an unexpected HTTP status code (#{response.code.inspect} instead of 200)." }
+          end
+
+          def server_response_missing_success_flag!
+            error { 'SSO Server response did not include the expected success flag.' }
+          end
+
+          def unexpected_server_response_status!
+            error { 'SSO Server response did not include a known passport status code.' }
+          end
+
+          def server_response_not_parseable!
+            error { 'SSO Server response could not be parsed at all.' }
+          end
+
+          def endpoint
+            URI.join(base_endpoint, path).to_s
+          end
+
+          def query_params
+            params.merge auth_hash
+          end
+
+          # Needs to be configurable
+          def path
+            OmniAuth::Strategies::SSO.passports_path
+          end
+
+          def base_endpoint
+            OmniAuth::Strategies::SSO.endpoint
+          end
+
+          def meter(*_)
+            # This will be a hook for e.g. statistics, benchmarking, etc, measure everything
+          end
+
+          def ip
+            warden.request.ip
+          end
+
+          def agent
+            warden.request.user_agent
+          end
+
+          def warden_scope
+            options[:scope]
+          end
+
+          def params
+            { ip: ip, agent: agent, state: passport.state }
+          end
+
+          def token
+            Signature::Token.new passport.id, passport.secret
+          end
+
+          def signature_request
+            Signature::Request.new('GET', path, params)
+          end
+
+          def auth_hash
+            signature_request.sign token
+          end
+
+          def human_readable_timeout_in_ms
+            (timeout_in_seconds * 1000).round
+          end
+
+          def timeout_in_seconds
+            0.1.seconds
+          end
+
+          def response
+            @response ||= response!
+          end
+
+          def response!
+            benchmark 'Passport authorization request' do
+              ::HTTParty.get endpoint, timeout: timeout_in_seconds, query: query_params, headers: { 'Accept' => 'application/json' }
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/sso/logging.rb

@@ -0,0 +1,36 @@
+module SSO
+  # One thing tha bugs me is when I cannot see which part of the code caused a log message.
+  # This mixin will include the current class name as Logger `progname` so you can show that it in your logfiles.
+  #
+  module Logging
+
+    def debug(&block)
+      logger && logger.debug(progname, &block)
+    end
+
+    def info(&block)
+      logger && logger.info(progname, &block)
+    end
+
+    def warn(&block)
+      logger && logger.warn(progname, &block)
+    end
+
+    def error(&block)
+      logger && logger.error(progname, &block)
+    end
+
+    def fatal(&block)
+      logger && logger.fatal(progname, &block)
+    end
+
+    def progname
+      self.class.name
+    end
+
+    def logger
+      ::SSO.config.logger
+    end
+
+  end
+end

data/lib/sso/server.rb

@@ -0,0 +1,26 @@
+require 'rails' # <- Doorkeeper secretly depends on this
+require 'doorkeeper'
+require 'operation'
+require 'httparty'
+require 'omniauth'
+require 'signature'
+require 'warden'
+
+require 'sso/server/errors'
+require 'sso/server/passport'
+require 'sso/server/passports'
+require 'sso/server/geolocations'
+require 'sso/server/configuration'
+require 'sso/server/configure'
+require 'sso/server/engine'
+
+require 'sso/server/authentications/passport'
+require 'sso/server/middleware/passport_verification'
+
+require 'sso/server/warden/hooks/after_authentication'
+require 'sso/server/warden/hooks/before_logout'
+require 'sso/server/warden/strategies/passport'
+
+require 'sso/server/doorkeeper/resource_owner_authenticator'
+require 'sso/server/doorkeeper/grant_marker'
+require 'sso/server/doorkeeper/access_token_marker'