trusona 0.16.0

data/lib/trusona/api/client.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Trusona
+  module Api
+    #
+    ## An a wrapper around HTTParty
+    class HTTPClient
+      POST  = 'POST'
+      GET   = 'GET'
+      PATCH = 'PATCH'
+      CONTENT_TYPE = 'application/json;charset=utf-8'
+
+      def initialize(host = nil)
+        @host = host || Trusona.config.api_host
+      end
+
+      def post(path, params = {})
+        execute(path, params, POST)
+      end
+
+      def patch(path, params = {})
+        execute(path, params, PATCH)
+      end
+
+      def get(path, params = {})
+        execute(path, params, GET)
+      end
+
+      private
+
+      def execute(path, params, method)
+        request = Trusona::Api::SignedRequest.new(path, params, method, @host)
+
+        # Power of ruby or hard to read?
+        unverified = HTTParty.send(
+          method.downcase,
+          request.uri,
+          body: request.body,
+          headers: request.headers
+        )
+
+        Trusona::Api::VerifiedResponse.new(unverified)
+      end
+    end
+
+    ##
+    # A default nil http client
+    class NilHTTPClient
+      def initialize(host)
+        @host = host
+      end
+
+      def post(_uri, _params); end
+
+      def get(_uri, _params); end
+
+      def patch(_uri, _params); end
+    end
+  end
+end

data/lib/trusona/api/hashed_message.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Trusona
+  module Api
+    #
+    ## A HMAC message suitable for authorization to the Trusona API
+    class HashedMessage
+      def initialize(params = {})
+        validate(params)
+
+        @method       = params[:method]
+        @body         = params[:body]
+        @content_type = params[:content_type]
+        @path         = params[:path]
+        @date         = params[:date]
+        @secret       = Trusona.config.secret
+        @token        = Trusona.config.token
+      end
+
+      def auth_header
+        "TRUSONA #{@token}:#{signature}"
+      end
+
+      def signature
+        Base64.strict_encode64(
+          OpenSSL::HMAC.hexdigest(
+            OpenSSL::Digest::SHA256.new, @secret, prepare_data
+          )
+        )
+      end
+
+      private
+
+      def body_digest
+        digestable_body = ''
+        digestable_body = @body unless @body.nil? || @body.empty?
+
+        OpenSSL::Digest::MD5.new.hexdigest(digestable_body)
+      end
+
+      def invalid_param?(param)
+        param.nil?
+      end
+
+      def invalid_method?(method)
+        http_methods = %w[GET POST DELETE PATCH PUT]
+        return true if invalid_param?(method)
+        return true unless http_methods.include?(method.strip.upcase)
+      end
+
+      def prepare_data
+        data = [
+          @method.to_s,
+          body_digest,
+          @content_type,
+          @date,
+          @path
+        ]
+
+        data.join("\n")
+      end
+
+      def validate(params)
+        raise ArgumentError if invalid_method?(params[:method])
+        raise ArgumentError if invalid_param?(params[:path])
+      end
+    end
+  end
+end

data/lib/trusona/api/signed_request.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module Trusona
+  module Api
+    #
+    ## A signed request that can be used to make HMAC'd API calls to Trusona
+    class SignedRequest
+      attr_reader :uri, :body
+
+      def initialize(path, body, method, host)
+        @host = host
+        @uri  = build_uri(path, body)
+        @body = parse_body(body)
+        @path = build_path(path)
+        @method = method
+        @headers = { 'x-date' => nil, 'Authorization' => nil }
+        @date = Time.now.httpdate
+        validate
+        @signature = sign
+      end
+
+      def headers
+        @headers.merge(
+          'x-date' => @date,
+          'Date'   => @date,
+          'X-Date' => @date,
+          'Authorization' => @signature,
+          'Content-Type' => determine_content_type
+        )
+      end
+
+      private
+
+      def determine_content_type
+        return '' if @method == 'GET' || @method == 'DELETE'
+        Trusona::Api::HTTPClient::CONTENT_TYPE
+      end
+
+      def build_path(path)
+        return path if @uri.query.nil? || @uri.query.empty?
+        [@uri.path, @uri.query].join('?')
+      end
+
+      def build_uri(path, body)
+        return build_uri_with_query(URI(path)) if URI(path).query
+        return build_uri_with_body_as_query(path, body) if valid_hash_body(body)
+        URI::HTTPS.build(host: @host, path: path)
+      end
+
+      def valid_hash_body(body)
+        body.is_a?(Hash) && !body.empty?
+      end
+
+      def parse_body(body)
+        body.is_a?(Hash) ? '' : body
+      end
+
+      def sign
+        message = Trusona::Api::HashedMessage.new(
+          body: @body,
+          content_type: determine_content_type,
+          path: @path,
+          method: @method,
+          date: @date
+        )
+
+        message.auth_header
+      rescue ArgumentError
+        raise Trusona::SigningError
+      end
+
+      def build_uri_with_query(generic)
+        URI::HTTPS.build(
+          host: @host,
+          path: generic.path,
+          query: generic.query
+        )
+      end
+
+      def build_uri_with_body_as_query(path, body)
+        URI::HTTPS.build(
+          host: @host,
+          path: path,
+          query: URI.encode_www_form(body)
+        )
+      end
+
+      def validate
+        raise ArgumentError unless @path
+        raise ArgumentError unless @body
+        raise ArgumentError unless @method
+        raise ArgumentError unless @host
+      end
+    end
+  end
+end

data/lib/trusona/api/verified_response.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Trusona
+  module Api
+    #
+    ## a response from the Trusona API that can be verified with HMAC
+    class VerifiedResponse
+      LEGACY_SERVER_HEADER = 'Apache-Coyote/1.1'
+      attr_reader :code
+
+      def initialize(unverified)
+        @unverified = unverified
+        @verified   = verify
+        @code = unverified.code
+      end
+
+      def to_h
+        JSON.parse(@unverified.body)
+      end
+
+      def verified?
+        @verified
+      end
+
+      private
+
+      def verify
+        expected = expected_signature
+        actual = @unverified.headers['X-Signature']
+        actual == expected || actual == Base64.strict_decode64(expected)
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      def expected_signature
+        begin
+          message = Trusona::Api::HashedMessage.new(
+            method: parse_method(@unverified.request.http_method),
+            body: @unverified.body,
+            content_type: determine_content_type,
+            path: parse_path(@unverified.request.uri),
+            date: parse_date(@unverified.headers)
+          )
+        rescue ArgumentError
+          raise Trusona::SigningError
+        end
+
+        message.signature
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      def parse_path(uri)
+        return uri.path unless uri.query
+        [uri.path, uri.query].join('?')
+      end
+
+      def parse_date(headers)
+        headers['X-Date'] || headers['x-date'] || headers['Date']
+      end
+
+      def determine_content_type
+        server = @unverified.headers['server']
+        response_type = @unverified.headers['Content-Type']
+        return response_type unless server == LEGACY_SERVER_HEADER
+        determine_request_content_type
+      end
+
+      def determine_request_content_type
+        default_type = 'application/json;charset=utf-8'
+        return default_type unless @unverified.request
+        return default_type unless @unverified.request.options
+        return default_type unless @unverified.request.options[:headers]
+        @unverified.request.options[:headers]['Content-Type']
+      end
+
+      def parse_method(method)
+        case method.to_s
+        when Net::HTTP::Post.to_s
+          'POST'
+        else
+          'GET'
+        end
+      end
+    end
+  end
+end

data/lib/trusona/device.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Trusona
+  ##
+  # Helpful for finding Devices to determine if and when they were activated
+  class Device
+    ##
+    # Finds the specified device
+    #
+    # @param [String] id The identifier of the Device
+    # @return [Trusona::Resources::Device] the Device
+    # @raise ArgumentError if the identifier is nil
+    #
+    # @raise [Trusona::InvalidResourceError] if the resource is not +valid?+
+    # @see Trusona::Resources::BaseResource#valid?
+    # @raise [Trusona::BadRequestError] if the request is improperly formatted
+    # @raise [Trusona::UnauthorizedRequestError] if the request is unauthorized.
+    #  Typically the result of invalid or revoked Trusona SDK keys.
+    # @raise [Trusona::ApiError] if the Trusona API is experiencing problems.
+    #
+    # @example
+    #
+    #   Trusona::Device.find(id: 'r1ByVyVKJ7TRgU0RPX0-THMTD_CO3VrCSNqLpJFmhms')
+    #
+    def self.find(id: nil)
+      raise ArgumentError, 'A Device identifier is required.' unless id
+
+      Trusona::Workers::DeviceFinder.new.find(id)
+    end
+  end
+end

data/lib/trusona/device_user_binding.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Trusona
+  ##
+  # Manages the creation of device and user bindings
+  class DeviceUserBinding
+    ##
+    # Binds a device identifier and user identifier together in the Trusona API
+    #
+    # @param [String] user The user identifier that uniquely identifies the
+    #   user in the Relying Party system.
+    # @param [String] device The device identifier as retrieved by the Trusona
+    #  mobile SDK.
+    # @return [Trusona::Resources::DeviceUserBinding] The created device and
+    #  user binding record.
+    #
+    # @see Trusona::Resources::DeviceUserBinding
+    #
+    # @raise [Trusona::InvalidResourceError] if the resource is not +valid?+
+    # @see Trusona::Resources::BaseResource#valid?
+    # @raise [Trusona::BadRequestError] if the request is improperly formatted
+    # @raise [Trusona::UnauthorizedRequestError] if the request is unauthorized.
+    #  Typically the result of invalid or revoked Trusona SDK keys.
+    # @raise [Trusona::ApiError] if the Trusona API is experiencing problems.
+    #
+    # @example
+    #
+    #   binding = Trusona::DeviceUserBinding.create(
+    #     user: '83452353-4F7B-4CA2-BBCD-57ACE7279EA0',
+    #     device: 'PBanKaajTmz_Cq1pDkrRzyeISBSBoGjExzp5r6-UjcI'
+    #   )
+    #
+
+    def self.create(user: nil, device: nil)
+      raise ArgumentError, 'User is missing' if user.nil? || user.empty?
+      raise ArgumentError, 'Device is missing' if device.nil? || device.empty?
+      Trusona::Workers::DeviceUserBindingCreator.new.create(
+        user: user, device: device
+      )
+    end
+
+    ##
+    # Activates an existing device and user binding record
+    #
+    # @param id [String] The ID of the {Trusona::Resources::DeviceUserBinding}
+    #   to be activated
+    # @raise (see .create)
+    # @return [Trusona::Resources::DeviceUserBindingActivation]
+    #
+
+    def self.activate(id: nil)
+      raise ArgumentError if id.nil? || id.empty?
+      Trusona::Workers::DeviceUserBindingActivator.new.activate(id: id)
+    end
+  end
+end

data/lib/trusona/errors.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Trusona
+  ##
+  # A generic error for when things go wrong, but we're not sure why
+  class TrusonaError < StandardError; end
+
+  ##
+  # An error that occurs when the configuration is incorrect or invalid
+  class ConfigurationError < TrusonaError; end
+
+  ##
+  # An error resulting from a resource that is invalid due to missing
+  # required fields
+  class InvalidResourceError < TrusonaError; end
+
+  ##
+  # An error used to indicate a failure in HMAC signing
+  class SigningError < TrusonaError; end
+
+  ##
+  # An error reserved for problems communicating with the Trusona REST API
+  class RequestError < TrusonaError; end
+
+  ##
+  # The result of attempting to access the Trusona REST API with invalid
+  # or missing SDK Keys (Token and Secret)
+  class UnauthorizedRequestError < RequestError; end
+
+  ##
+  # An error for resulting from 50x errors from the Trusona REST API
+  class ApiError < RequestError; end
+
+  ##
+  # An error resulting from 404 errors from the Trusona REST API
+  class ResourceNotFoundError < RequestError; end
+
+  ##
+  # An error resulting from 400 errors from the Trusona REST API
+  class BadRequestError < RequestError; end
+
+  ##
+  # An error resulting from 424 errors from the Trusona REST API
+  class FailedDependencyError < RequestError; end
+
+  ##
+  # An error resulting from trying to find a record without a valid
+  # identifier. Prempts a `Trusona::ResourceNotFoundError` error by
+  # not making a network request with an invalid identifier.
+  class InvalidRecordIdentifier < TrusonaError; end
+end