sso_provyder 0.1.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,33 @@
+A Rails Engine providing an Omniauth provider with single sign on features in a minute.
+
+Based on Devise, Authentifyd and joshsoftware/sso-devise-omniauth-provider. Parts directly taken from https://github.com/joshsoftware/sso-devise-omniauth-provider
+
+See sso_clyent for the client part.
+
+= Uses Authentifyd
+Devise + Omniauth Authentication encapsulated in an Engine
+
+== Installation
+
+* gem 'sso_provyder'
+* rake sso_provyder:initialize
+* rake sso_provyder:install:migrations
+* rake db:migrate
+* in config/routes.rb add:
+    * mount SsoProvyder::Engine => "/#{your root for sso_provyder}"
+    * you can also configure Authentifyd::Engine root inside SsoProvyder::Engine by defining SsoProvyder.authentifyd_path in an initializer file. (default to aut/ => sign_in_path = /#{your root for sso_provyder}/aut/users/sign_in)
+    * NB: don't mount Engine on root "/". This could be a feature added in the future but for the moment this possibility is not implemented.
+    
+* Configure Devise: copy paste http://raw.github.com/plataformatec/devise/master/lib/generators/templates/devise.rb in config/initializers/devise.rb. Edit it.
+  * NB: set "config.pepper".
+      ex: require 'securerandom' -> SecureRandom.hex(64)
+* Add Facebook and Twitter config files
+  * Example
+      staging:
+        app_id: APP ID FOR STAGING ENV
+        app_secret: APP SECRET FOR STAGING ENV
+      development: &development
+        app_id: APP ID FOR DEV ENV
+        app_secret: APP SECRET FOR DEV ENV
+      test:
+        <<: *development

data/Rakefile

@@ -0,0 +1,27 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SsoProvyder'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+

data/app/assets/javascripts/sso_provyder/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
+// GO AFTER THE REQUIRES BELOW.
+//
+//= require jquery
+//= require jquery_ujs
+//= require_tree .

data/app/assets/stylesheets/sso_provyder/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

data/app/controllers/sso_provyder/application_controller.rb

@@ -0,0 +1,6 @@
+module SsoProvyder
+  class ApplicationController < ActionController::Base
+    protect_from_forgery
+    
+  end
+end

data/app/controllers/sso_provyder/auth_api_controller.rb

@@ -0,0 +1,41 @@
+class SsoProvyder::AuthApiController < SsoProvyder::AuthController
+  skip_before_filter :verify_authenticity_token, :only => [:valid_current_api_client, :valid_current_api_client_user]
+  before_filter :authenticate_app
+  before_filter :authenticate_api_client_app
+  
+  # is called by sso_api_clyent
+  # to check a client app is registered in sso_provyder
+  #
+  def valid_current_api_client
+    render :json => { :app =>  application_api_json(@application) }
+  end
+  
+  # is called by sso_api_clyent
+  # to check a client app is registered in sso_provyder
+  # and identify the current_user
+  #
+  def valid_current_api_client_user
+    access_grant = SsoProvyder::AccessGrant.authenticate_with({:access_token => params[:access_token], :client_id => @application.id})
+    if access_grant.nil?
+      render :json => {:error => "Could not authenticate Client App User"}
+      return
+    end
+    
+    render :json => { :app => application_api_json(@application), :user =>  user_api_json(access_grant.user) }
+  end
+  
+  private
+  
+  def application_api_json(app = nil)
+    { :name => app.try(:name), :id => app.try(:id) }
+  end
+  
+  def user_api_json(user = nil)
+    { :uid => user.try(:id) }
+  end
+  
+  def authenticate_api_client_app
+    args = { :app_id => params[:api_client_id], :app_secret => params[:api_client_secret] }
+    authenticate_application(args, "Api Client")
+  end
+end

data/app/controllers/sso_provyder/auth_controller.rb

@@ -0,0 +1,21 @@
+# parent to auth web and auth api
+class SsoProvyder::AuthController < SsoProvyder::ApplicationController
+  def authenticate_app
+    args = { :app_id => params[:client_id], :app_secret => params[:client_secret] }
+    authenticate_application(args, "Client")
+  end
+    
+  # role can be "Client" (Direct client) or "Api client" (Client calling the client)
+  #
+  def authenticate_application(args = {}, role = "Client")
+    @application = SsoProvyder::Client.authenticate(args[:app_id], args[:app_secret])
+
+    unless !!@application
+      render :json => {:error => "Could not find #{role} application"}
+      return
+    end
+    
+  end
+    
+  
+end

data/app/controllers/sso_provyder/auth_web_controller.rb

@@ -0,0 +1,64 @@
+class SsoProvyder::AuthWebController < SsoProvyder::AuthController
+  before_filter :authenticate_user!, :except => [:access_token]
+  skip_before_filter :verify_authenticity_token, :only => [:access_token]
+
+  def authorize
+    SsoProvyder::AccessGrant.prune!
+    access_grant = current_user.access_grants.create({  :client => application,
+                                                        :state => params[:state] },
+                                                        :without_protection => true)
+    redirect_to access_grant.redirect_uri_for(params[:redirect_uri])
+  end
+
+  def access_token
+    authenticate_app
+    
+    access_grant = SsoProvyder::AccessGrant.authenticate_with({:code => params[:code], :client_id => @application.id})
+    if access_grant.nil?
+      render :json => {:error => "Could not authenticate access code"}
+      return
+    end
+
+    access_grant = access_grant.start_expiry_period!
+    render :json => {:access_token => access_grant.access_token, :refresh_token => access_grant.refresh_token, :expires_in => (access_grant.access_token_expires_at - Time.now).to_i}
+  end
+
+  # IDEA: we could provide a way to customize this in options
+  # + extend Authentifyd user model attributes
+  #
+  def user
+    hash = {
+      :provider => 'sso',
+      :id => current_user.id.to_s,
+      :info => { :email      => current_user.email },
+      :extra => {}
+    }
+
+    render :json => hash.to_json
+  end
+
+  # Not Implemented ! (from josh software implementation)
+  # Incase, we need to check timeout of the session from a different application!
+  # This will be called ONLY if the user is authenticated and token is valid
+  # Extend the UserManager session
+  # def isalive
+  #   warden.set_user(current_user, :scope => :user)
+  #   response = { 'status' => 'ok' }
+  # 
+  #   respond_to do |format|
+  #     format.any { render :json => response.to_json }
+  #   end
+  # end
+
+  # Not Implemented ! (from josh software implementation)
+  # def failure
+  #   render :text => "ERROR: #{params[:message]}"
+  # end
+
+  protected
+
+  def application
+    @application ||= SsoProvyder::Client.find_by_app_id(params[:client_id])
+  end
+
+end

data/app/controllers/sso_provyder/registrations_controller.rb

@@ -0,0 +1,6 @@
+class SsoProvyder::RegistrationsController < Authentifyd::RegistrationsController
+
+  def after_update_path_for(scope)
+    session[:referrer] ? session[:referrer] : root_path
+  end
+end

data/app/helpers/sso_provyder/application_helper.rb

@@ -0,0 +1,4 @@
+module SsoProvyder
+  module ApplicationHelper
+  end
+end

data/app/models/sso_provyder/access_grant.rb

@@ -0,0 +1,33 @@
+class SsoProvyder::AccessGrant < ActiveRecord::Base
+  belongs_to :user, :class_name => (SsoProvyder.authentifyd_user_class.try(:to_s) || "User")
+  belongs_to :client
+  before_create :generate_tokens
+
+
+  def self.prune!
+    delete_all(["created_at < ?", 3.days.ago])
+  end
+
+  def self.authenticate_with(args = {})
+    where(args).first
+  end
+
+  def generate_tokens
+    self.code, self.access_token, self.refresh_token = SecureRandom.hex(16), SecureRandom.hex(16), SecureRandom.hex(16)
+  end
+
+  def redirect_uri_for(redirect_uri)
+    redirect_uri.match(/(\?.*)$/)
+    redirect_uri + "#{ !!$1 ? $1+'&' : '?' }code=#{code}&response_type=code&state=#{state}"
+  end
+
+  # Note: This is currently configured through Devise, 
+  # backed up by default value in SsoProvyder config
+  def start_expiry_period!
+    _expires_at = Time.now + (Devise.timeout_in || SsoProvyder.timeout_in)
+    self.update_attribute(:access_token_expires_at, _expires_at)
+    return self
+  end
+
+  attr_accessible :access_token_expires_at
+end

data/app/models/sso_provyder/client.rb

@@ -0,0 +1,8 @@
+class SsoProvyder::Client < ActiveRecord::Base
+
+  def self.authenticate(app_id, app_secret)
+    where(["app_id = ? AND app_secret = ?", app_id, app_secret]).first
+  end
+
+  attr_accessible :app_id, :app_secret
+end

data/app/models/sso_provyder.rb

@@ -0,0 +1,5 @@
+module SsoProvyder
+  def self.table_name_prefix
+    "sso_provyder_"
+  end
+end

data/app/views/layouts/sso_provyder/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>SsoProvyder</title>
+  <%= stylesheet_link_tag    "sso_provyder/application", :media => "all" %>
+  <%= javascript_include_tag "sso_provyder/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/initializers/authentifyd.rb

@@ -0,0 +1,22 @@
+Authentifyd.devise_config = { :registrations_controller => "SsoProvyder::Registrations" }
+Authentifyd.path = SsoProvyder.authentifyd_path
+Authentifyd.path_prefix = SsoProvyder.path
+Authentifyd.custom_css = SsoProvyder.custom_css
+
+module SsoProvyder
+  class Engine < Rails::Engine
+    config.after_initialize do
+      klass = SsoProvyder.authentifyd_user_class.constantize
+      klass.send(:has_many, :access_grants, :dependent => :delete_all, :class_name => "SsoProvyder::AccessGrant")
+      klass.send(:token_authentication_key=, "oauth_token")
+      klass.send(:define_singleton_method, :find_for_token_authentication) do |conditions|
+        where([%|sso_provyder_access_grants.access_token = ? AND 
+          (sso_provyder_access_grants.access_token_expires_at IS NULL OR 
+          sso_provyder_access_grants.access_token_expires_at > ?)|,
+          conditions[token_authentication_key], Time.now]).
+        joins(:access_grants).
+        select("#{klass.table_name}.*").first
+      end
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,14 @@
+SsoProvyder::Engine.routes.draw do
+  root :to => redirect { |p, req| req.flash.keep; "#{SsoProvyder.default_root}" }
+  mount Authentifyd::Engine => Authentifyd.path
+
+  match 'auth/sso/authorize' => 'auth_web#authorize'
+  match 'auth/sso/access_token' => 'auth_web#access_token'
+  match 'auth/sso/user' => 'auth_web#user'
+  match 'oauth/token' => 'auth_web#access_token'
+  
+  match 'auth/sso/valid_current_api_client'       => 'auth_api#valid_current_api_client'
+  match 'auth/sso/valid_current_api_client_user'  => 'auth_api#valid_current_api_client_user'
+
+  match "logout" => redirect {|params,request| "#{SsoProvyder.path}#{Authentifyd.path}/users/sign_out" + request.url[/\?.*$/]}
+end

data/db/migrate/20121123091659_create_access_grants.rb

@@ -0,0 +1,19 @@
+class CreateAccessGrants < ActiveRecord::Migration
+  def self.up
+    create_table :sso_provyder_access_grants do |t|
+      t.string :code
+      t.string :access_token
+      t.string :refresh_token
+      t.datetime :access_token_expires_at
+      t.integer :user_id
+      t.integer :client_id
+      t.string :state
+
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :access_grants
+  end
+end

data/db/migrate/20121123091700_create_clients.rb

@@ -0,0 +1,15 @@
+class CreateClients < ActiveRecord::Migration
+  def self.up
+    create_table :sso_provyder_clients do |t|
+      t.string :name
+      t.string :app_id
+      t.string :app_secret
+
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :clients
+  end
+end

data/lib/sso_provyder/engine.rb

@@ -0,0 +1,9 @@
+module SsoProvyder
+  class Engine < ::Rails::Engine
+    isolate_namespace SsoProvyder
+
+    config.generators do |g|
+          g.test_framework :rspec, :view_specs => false
+    end
+  end
+end

data/lib/sso_provyder/version.rb

@@ -0,0 +1,3 @@
+module SsoProvyder
+  VERSION = "0.1.1"
+end

data/lib/sso_provyder.rb

@@ -0,0 +1,32 @@
+require "sso_provyder/engine"
+require 'authentifyd'
+
+module SsoProvyder
+  mattr_accessor :authentifyd_user_class, :authentifyd_path
+  def self.authentifyd_user_class
+    @@authentifyd_user_class ||= "Authentifyd::User"
+  end
+  def self.authentifyd_path
+    @@authentifyd_path ||= "/aut"
+  end
+
+  # needed to palliate Devise.timeout_in if missing
+  # used for Access Grant expiration
+  mattr_accessor :timeout_in
+  def self.timeout_in
+    @@timeout_in ||= 1.days
+  end
+
+  mattr_accessor :path
+  def self.path
+    @@path ||= "/sso"
+  end
+  
+  mattr_accessor :default_root
+  def self.default_root
+    @@default_root ||= "/"
+  end
+  
+  mattr_accessor :custom_css
+end
+

data/lib/tasks/sso_provyder_tasks.rake

@@ -0,0 +1,20 @@
+# desc "Explaining what the task does"
+# task :sso_provyder do
+#   # Task goes here
+# end
+namespace :sso_provyder do
+  desc "Initialize db"
+  task :initialize => :environment do
+    ActiveRecord::Base.establish_connection(ActiveRecord::Base.configurations[Rails.env])
+    unless ActiveRecord::Base.connection.table_exists? 'authentifyd_users'
+      %x(rake authentifyd:install:migrations)
+      # %x(rake db:migrate)
+      puts "\n"
+      puts '---------------------------------------------------------------------------------------------------'
+      puts "Added migrations for Authentifyd tables"
+      puts '---------------------------------------------------------------------------------------------------'
+      # and ran rake db:migrate on #{Rails.env} environement"
+      puts "\n"
+    end
+  end
+end

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: sso_provyder
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+  prerelease: 
+platform: ruby
+authors:
+- NicoArbogast
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.8
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: authentifyd
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+- !ruby/object:Gem::Dependency
+  name: mysql2
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Based on Devise, Authentifyd and joshsoftware/sso-devise-omniauth-provider.
+  Parts directly taken from https://github.com/joshsoftware/sso-devise-omniauth-provider
+email:
+- nicolas.arbogast@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/assets/javascripts/sso_provyder/application.js
+- app/assets/stylesheets/sso_provyder/application.css
+- app/controllers/sso_provyder/application_controller.rb
+- app/controllers/sso_provyder/auth_api_controller.rb
+- app/controllers/sso_provyder/auth_controller.rb
+- app/controllers/sso_provyder/auth_web_controller.rb
+- app/controllers/sso_provyder/registrations_controller.rb
+- app/helpers/sso_provyder/application_helper.rb
+- app/models/sso_provyder/access_grant.rb
+- app/models/sso_provyder/client.rb
+- app/models/sso_provyder.rb
+- app/views/layouts/sso_provyder/application.html.erb
+- config/initializers/authentifyd.rb
+- config/routes.rb
+- db/migrate/20121123091659_create_access_grants.rb
+- db/migrate/20121123091700_create_clients.rb
+- lib/sso_provyder/engine.rb
+- lib/sso_provyder/version.rb
+- lib/sso_provyder.rb
+- lib/tasks/sso_provyder_tasks.rake
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+homepage: https://github.com/NicoArbogast/sso_client
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: A Rails Engine providing an Omniauth provider with single sign on features
+  in a minute.
+test_files: []