ssomg 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a63ab61cb909c5033977d9bb959ee2dbc49ee82d
+  data.tar.gz: '09a6599e0c2b37fd432dde7bb07f8990f20f6db7'
+SHA512:
+  metadata.gz: 205c2b2d7759f388281fbd823d881fcbe568996310ead2d0e4ca868fbd6bca4d24363770bb279aeb42202d4c6dd5b0d9a95cb9f83f33191867dd64b69e09e0cd
+  data.tar.gz: 7517549388c01a754f982b57f1038c635fe2d51437c745d1d4c1993987d38fd6984480d88dbdb30b4201c7c5f18c898f49bdf4785adc82345daa591e9eeba4db

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.17.1

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in ssomg.gemspec
+gemspec

data/README.md

@@ -0,0 +1,118 @@
+# Ssomg
+This is the Ruby client for the SSOMG single sign on project, designed to work with Rails.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'ssomg'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ssomg
+
+
+One the gem is installed there are a few things to add in the code. 
+
+In `/config/application.rb`, add the line 
+`Ssomg.configure`
+Be sure to do this after the necessary environment variables, to ensure the module configures correctly.
+
+At the top of `/config/routes.rb`, add the line
+`mount Ssomg::Engine => "auth"`
+To mount the expected routes for authentication. This adds `/auth/login`, `/auth/logout` and `auth/verify` to the app, none of which have views. 
+
+Then to protect routes, make sure that you application controller inherits from `Ssomg::BaseController` ( which in turn inherits from `ActionController::Base`) : 
+```
+class ApplicationController < Ssomg::BaseController
+  # your code here
+end 
+```
+
+### Usage
+
+Once set up, controllers inheriting from your base controller will have the class variable `@user` set, which you can use to validate requests however you want. 
+
+The controller provides a `protect` method to only allow access to routes if the user has a specific role set. 
+There are a number of ways to do this, as shown in this example controller. 
+
+```
+class WelcomeController < ApplicationController
+
+  # To protect the whole controller
+  before_action -> { protect(["admin"]) }
+  # or
+  before_action -> { protect("admin") }
+  # or 
+  before_action -> { protect(["admin", "read"]) }
+
+
+  def index
+    # Or to protect the method
+    protect(["admin"])
+    # or 
+    protect("admin")
+    # or
+    protect(["admin", "myrole"])
+
+    @var = "hello"
+  end
+
+private 
+
+
+end
+```
+
+If a user JWT is set, @user will be set like this:
+
+```
+@user => {
+  "_id": "xxxxx",
+  "first_name": "First",
+  "last_name": "Last",
+  "email": "xxxxxxxx@xxxx.xx",
+  "roles": [
+    "App Role 1",
+    "App Role 2"
+  ],
+  "refresh_token": "xxxxxxxxx",
+  "iat": xxxxxxxxxx,
+  "exp": xxxxxxxxxx
+}
+```
+
+### Environment ###
+
+When you register the app and the users in the main SSOMG admin, you'll be issued with an app id and the public key used to verify tokens. 
+You'll need to add the public key to your project, and then add the following attributes to your environment file to make sure it works correctly: 
+
+```
+PUB_KEY_PATH=./keys/sso
+APP_ID=xxxxxxxxxxxxxxxxxxxxxxxx
+SSO_HOST=https://auth.mysite.com
+```
+
+In production, the app will automatically use secure and http-only cookies.
+
+## Gotchas
+
+Make sure the URLs in the env file and the provider app contain the correct protocol(http(s)), and ports. Without the correct protocols, the app will behave unexpectedly.
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/ssomg.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "ssomg"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/ssomg/config/routes.rb

@@ -0,0 +1,7 @@
+module Ssomg
+  Engine.routes.draw do
+    get '/login', to: 'auth#login'
+    get '/verify', to: 'auth#verify'
+    get '/logout', to: 'auth#logout'
+  end
+end

data/lib/ssomg/controllers/auth_controller.rb

@@ -0,0 +1,18 @@
+module Ssomg
+  class AuthController < BaseController
+    def verify
+      verify_token    
+    end
+
+    def login
+      cookies["ssomg_meta" ] = { :value => "/", :secure => Rails.env.production?, :httponly => true }
+      go_to_provider
+    end
+
+    def logout
+      clear_linked_cookies
+      clear_cookies
+      redirect_to ENV["SSO_HOST"] + "/auth/logout"
+    end
+  end
+end

data/lib/ssomg/controllers/base_controller.rb

@@ -0,0 +1,107 @@
+module Ssomg
+  class BaseController < ::ActionController::Base
+
+    before_action :register_user, unless: -> { request.query_parameters["token"] }
+
+  private 
+
+    def register_user 
+      if ( cookies["ssomg"] )
+        token = cookies["ssomg"]
+      else 
+        token = bearer_token
+      end
+      if( token )
+        begin 
+          decoded_token = ::JWT.decode token, Ssomg.PUB_KEY, true, { algorithm: 'RS256' }
+          @user = decoded_token[ 0 ]
+        rescue ::JWT::ExpiredSignature
+          cookies["ssomg_meta" ] = { :value => request.original_url, :secure => Rails.env.production?, :httponly => true }
+          go_to_provider 
+        rescue StandardError
+          # invalid token
+        end
+      end
+    end
+
+    def verify_token
+      if request.query_parameters["token"] 
+        accessTokens = JSON.parse refresh( request.query_parameters["token"] )
+        cookies["ssomg" ] = { :value => accessTokens[ENV["APP_ID"]], :secure => Rails.env.production?, :httponly => true }
+        withoutMain = accessTokens.except!( ENV["APP_ID"] )
+        cookies["ssomg_all" ] = { :value => withoutMain.keys.join(","), :secure => Rails.env.production?, :httponly => true }
+        withoutMain.each { |key, value| 
+          cookies["ssomg_" + key ] = { :value => value, :secure => Rails.env.production?, :httponly => true }
+        }
+        if ( cookies["ssomg_meta"] ) 
+          path = cookies["ssomg_meta"]
+          cookies.delete "ssomg_meta"
+          redirect_to path and return
+        end
+      end
+    end
+
+    def protect( roles )
+      if ( @user )
+        if !roles.kind_of?(Array)
+          roles = [ roles ]
+        end
+        authorised = false;
+        for role in roles
+          if ( @user["roles"].include? role ) 
+            authorised = true
+            break
+          end
+        end
+        if ( !authorised ) 
+          head(403)      
+        end
+      else 
+        cookies["ssomg_meta" ] = { :value => request.original_url, :secure => Rails.env.production?, :httponly => true }
+        go_to_provider
+      end
+      
+    end
+
+    def refresh( token ) 
+      require 'net/http'
+      require 'json'
+      begin
+        uri = URI(ENV["SSO_HOST"] + "/auth/sso")
+        http = Net::HTTP.new(uri.host, uri.port)
+        req = Net::HTTP::Post.new(uri.path, {'Content-Type' =>'application/json'})
+        req.body = { :token => token }.to_json
+        res = http.request(req)
+        jwt = res.body
+        return jwt
+      rescue => e
+        puts "failed #{e}"
+      end
+    end
+
+    def bearer_token
+      pattern = /^Bearer /
+      header  = request.headers['Authorization']
+      header.gsub(pattern, '') if header && header.match(pattern)
+    end
+
+    def clear_linked_cookies
+      if cookies["ssomg_all"] 
+        all_cookies = cookies["ssomg_all"].split(",")
+        all_cookies.each { |key| cookies.delete "ssomg_" + key }
+        cookies.delete "ssomg_all"
+      end
+    end
+
+    def clear_cookies
+      cookies.delete "ssomg_meta"
+      cookies.delete "ssomg"
+    end
+
+    def go_to_provider
+      clear_linked_cookies
+      redirect_to ENV["SSO_HOST"] + "/auth/login?app_id=" + ENV["APP_ID"]
+    end
+
+  end
+end

data/lib/ssomg/engine.rb

@@ -0,0 +1,22 @@
+module Ssomg
+  puts "TEst"
+  @@PUB_KEY = ""
+  class Engine < Rails::Engine
+
+    paths["app/controllers"] = ["lib/ssomg/controllers"]
+    paths["config/routes.rb"] = ["lib/ssomg/config/routes.rb"]
+    isolate_namespace Ssomg
+  end
+
+  def self.configure
+    puts "TEst 2"
+    puts ENV["PUB_KEY_PATH"] 
+    puts File.read( ENV["PUB_KEY_PATH"] )
+    @@PUB_KEY = OpenSSL::PKey::RSA.new( File.read( ENV["PUB_KEY_PATH"] ) )
+  end
+
+  def self.PUB_KEY
+    @@PUB_KEY
+  end
+
+end

data/lib/ssomg/version.rb

@@ -0,0 +1,3 @@
+module Ssomg
+  VERSION = "0.1.0"
+end

data/lib/ssomg.rb

@@ -0,0 +1,10 @@
+require "ssomg/version"
+require "jwt"
+require 'ssomg/controllers/base_controller'
+require 'ssomg/controllers/auth_controller'
+require 'ssomg/engine'
+
+
+module Ssomg
+  class Error < StandardError; end
+end

data/ssomg.gemspec

@@ -0,0 +1,42 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "ssomg/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "ssomg"
+  spec.version       = Ssomg::VERSION
+  spec.authors       = ["Henry McIntosh"]
+  spec.email         = ["henry.mcintosh@roardigital.co.uk"]
+
+  spec.summary       = "The SSOMG client for Ruby on Rails."
+  spec.description   = "This is the Rails gem for setting up SSOMG with the main provider."
+  spec.homepage      = "https://bitbucket.org/roardigital/ssomg-gem/src"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = "https://rubygems.org"
+
+    spec.metadata["homepage_uri"] = spec.homepage
+    spec.metadata["source_code_uri"] = "https://bitbucket.org/roardigital/ssomg-gem/src"
+    spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.17"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_dependency "jwt", "~> 1.5.4"
+end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: ssomg
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Henry McIntosh
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.4
+description: This is the Rails gem for setting up SSOMG with the main provider.
+email:
+- henry.mcintosh@roardigital.co.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/ssomg.rb
+- lib/ssomg/config/routes.rb
+- lib/ssomg/controllers/auth_controller.rb
+- lib/ssomg/controllers/base_controller.rb
+- lib/ssomg/engine.rb
+- lib/ssomg/version.rb
+- ssomg.gemspec
+homepage: https://bitbucket.org/roardigital/ssomg-gem/src
+licenses: []
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://bitbucket.org/roardigital/ssomg-gem/src
+  source_code_uri: https://bitbucket.org/roardigital/ssomg-gem/src
+  changelog_uri: 'TODO: Put your gem''s CHANGELOG.md URL here.'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: The SSOMG client for Ruby on Rails.
+test_files: []