warden_openid_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5a6ea5d95308956940c72916462ecc19bc1ffee2fdb7706da433b260cfb81f20
+  data.tar.gz: 56618d37eba3a34a73a77484cc25a2ef1d6573c75afa6536aa587cef17a28698
+SHA512:
+  metadata.gz: b1523543a26b8ecaad1ff9669b4e178533f293941467bcdb37b5aa18f7e2579f3f8a2425b038d742c1ec70c17cc2fa338dd6a8d85003d95b56d4909fc5163f6a
+  data.tar.gz: 3474b67601d4a9a9415657f171e5b36b1d96dc4de4f522e2fcd2fa6f10d652b6a8675ea172a0371ad43df2444a8d167a598e105130ba97d87f4057943a518d32

data/.rspec

@@ -0,0 +1,4 @@
+--format documentation
+--color
+--require spec_helper
+--order rand

data/.rubocop.yml

@@ -0,0 +1,19 @@
+require:
+  - rubocop-rspec
+  - rubocop-rake
+
+AllCops:
+  NewCops: enable
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+
+RSpec/VerifiedDoubles:
+  Enabled: false
+
+Bundler/OrderedGems:
+  Enabled: false
+
+Gemspec/OrderedDependencies:
+  Enabled: false

data/Gemfile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in warden_openid_auth.gemspec
+gemspec
+
+gem 'rake', '~> 13.0'
+gem 'rspec', '~> 3.11'
+gem 'rubocop', '~> 1.25', require: false
+gem 'rubocop-rspec', '~> 2.9', require: false
+gem 'rubocop-rake', '~> 0.6', require: false
+gem 'webmock', '~> 3.14'
+gem 'rack-test', '~> 1.1'
+gem 'byebug', '~> 11.1'

data/Gemfile.lock

@@ -0,0 +1,102 @@
+PATH
+  remote: .
+  specs:
+    warden_openid_auth (0.1.0)
+      dry-configurable (~> 0.14)
+      dry-monads (~> 1.4)
+      faraday (~> 2.2)
+      faraday-retry (~> 1.0)
+      jwt (~> 2.3)
+      warden (~> 1.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.2)
+    byebug (11.1.3)
+    concurrent-ruby (1.1.9)
+    crack (0.4.5)
+      rexml
+    diff-lcs (1.5.0)
+    dry-configurable (0.14.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.6)
+    dry-core (0.7.1)
+      concurrent-ruby (~> 1.0)
+    dry-monads (1.4.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.7)
+    faraday (2.2.0)
+      faraday-net_http (~> 2.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (2.0.1)
+    faraday-retry (1.0.3)
+    hashdiff (1.0.1)
+    jwt (2.3.0)
+    parallel (1.21.0)
+    parser (3.1.1.0)
+      ast (~> 2.4.1)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.2.1)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (1.25.1)
+      parallel (~> 1.10)
+      parser (>= 3.1.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.15.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.16.0)
+      parser (>= 3.1.1.0)
+    rubocop-rake (0.6.0)
+      rubocop (~> 1.0)
+    rubocop-rspec (2.9.0)
+      rubocop (~> 1.19)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.5)
+    unicode-display_width (2.1.0)
+    warden (1.2.9)
+      rack (>= 2.0.9)
+    webmock (3.14.0)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  byebug (~> 11.1)
+  rack-test (~> 1.1)
+  rake (~> 13.0)
+  rspec (~> 3.11)
+  rubocop (~> 1.25)
+  rubocop-rake (~> 0.6)
+  rubocop-rspec (~> 2.9)
+  warden_openid_auth!
+  webmock (~> 3.14)
+
+BUNDLED WITH
+   2.2.32

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Blayne Farinha
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# Warden Openid Auth
+
+TODO: Write usage instructions here

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'warden_openid_auth'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/warden_openid_auth/errors.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module WardenOpenidAuth
+  class OpenidConfigFetchError < StandardError; end
+
+  class JWKSFetchError < StandardError; end
+end

data/lib/warden_openid_auth/jwks.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'digest'
+
+module WardenOpenidAuth
+  # Represents a JSON Web Key Set. It will cache the results of the web request to get the JWKS so
+  # that it does not need to make an external request for the JWKS to authenticate every user.
+  class JWKS
+    attr_reader :jwks_url, :cache, :cache_options
+
+    # @param jwks_url [String] the URL that the JSON Web Key Set can be retrieved from.
+    # @param config [#cache, #cache_options] the object that holds the cache and cache options.
+    def initialize(jwks_url:, config: WardenOpenidAuth.config)
+      @jwks_url = jwks_url
+      @cache = config.cache
+      @cache_options = config.cache_options
+    end
+
+    # Checks the cache to see if it contains the JSON Web Key Set and returns it. If it is not in
+    # the cache it will fetch it from the URL specified.
+    #
+    # @return [Hash] a Hash representation of the JSON Web Key Set.
+    def key_set
+      result = cache.read(cache_key)
+      return result unless result.nil?
+
+      fetch_and_store_jwks
+    end
+
+    private
+
+    def cache_key
+      @cache_key ||= "jwks_#{Digest::MD5.hexdigest(jwks_url)}"
+    end
+
+    def fetch_and_store_jwks
+      result = client.get(jwks_url)
+
+      raise JWKSFetchError, "Received #{result.status} from server." unless result.success?
+
+      cache.write(cache_key, result.body, cache_options)
+      result.body
+    rescue Faraday::Error => e
+      raise JWKSFetchError, "Faraday encountered a #{e.class} error. The message returned was \"#{e.message}\""
+    end
+
+    def client
+      Faraday.new(nil, request: { timeout: 5 }) do |f|
+        f.request :retry
+        f.response :json, parser_options: { symbolize_names: true }
+      end
+    end
+  end
+end

data/lib/warden_openid_auth/openid_metadata.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'faraday'
+require 'faraday/retry'
+require 'uri'
+require 'erb'
+
+module WardenOpenidAuth
+  # Representation of the OpenID config document.
+  class OpenidMetadata
+    include ERB::Util
+
+    attr_reader :metadata_url, :cache, :cache_options, :client_id
+
+    # @param config [#openid_metadata_url, #cache, #cache_options] object containg the desired configuration.
+    def initialize(config: WardenOpenidAuth.config)
+      @metadata_url = config.openid_metadata_url
+      @cache = config.cache
+      @cache_options = config.cache_options
+      @client_id = config.client_id
+    end
+
+    # @return [String] the endpoint for authorization
+    def authorization_endpoint
+      config_document['authorization_endpoint']
+    end
+
+    # @return [String] the full URL for authorization including parameters
+    def authorization_url(redirect_uri:, state:, scope: 'openid profile email')
+      uri = URI(authorization_endpoint)
+      uri.query = "client_id=#{url_encode(client_id)}&redirect_uri=#{url_encode(redirect_uri)}" \
+                  "&scope=#{url_encode(scope)}&state=#{url_encode(state)}&response_mode=query&response_type=code"
+      uri.to_s
+    end
+
+    # @return [String] the endpoint to hit to get tokens.
+    def token_endpoint
+      config_document['token_endpoint']
+    end
+
+    # @return [String] the endpoint to hit to get the JSON Web Key Set.
+    def jwks_uri
+      config_document['jwks_uri']
+    end
+
+    # @return [String] the issuer according to the metadata document.
+    def issuer
+      config_document['issuer']
+    end
+
+    # @return [Hash] a hash representation of the OpenID configuration document.
+    def to_h
+      config_document
+    end
+
+    private
+
+    def config_document
+      config = cache.read('openid_metadata')
+      return config unless config.nil?
+
+      fetch_and_store_config
+    end
+
+    def fetch_and_store_config
+      result = client.get(metadata_url)
+
+      raise OpenidConfigFetchError, "Received #{result.status} from server." unless result.success?
+
+      cache.write('openid_metadata', result.body, cache_options)
+      result.body
+    rescue Faraday::Error => e
+      raise OpenidConfigFetchError, "Faraday encountered a #{e.class} error. The message returned was \"#{e.message}\""
+    end
+
+    def client
+      Faraday.new(nil, request: { timeout: 5 }) do |f|
+        f.request :retry
+        f.response :json
+      end
+    end
+  end
+end

data/lib/warden_openid_auth/strategy.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'dry-monads'
+require 'dry/monads/do'
+require 'faraday'
+require 'faraday/retry'
+require 'jwt'
+require 'warden'
+
+module WardenOpenidAuth
+  # This strategy uses OpenID to log the user in. This should be called as the callback phase of an
+  # OpenID auth code flow strategy. It will exchange the auth_code provided for an ID token and validate the ID Token.
+  class Strategy < Warden::Strategies::Base
+    include Dry::Monads[:result]
+    include Dry::Monads::Do.for(:validate_user)
+
+    # Only run strategy if this evaluates to true.
+    def valid?
+      params.key?('code') || params.key?('error')
+    end
+
+    # Authenticate and log the user in.
+    def authenticate!
+      if params.key?('error')
+        fail!("There was a problem loging you in. #{params['error_description']}")
+        return
+      end
+
+      case validate_user
+      in Success(user)
+        success!(user)
+      in Failure(message:)
+        fail!(message)
+      end
+    end
+
+    private
+
+    def validate_user
+      token = yield fetch_token
+      claims = yield validate_token(token)
+      user = yield fetch_user(claims)
+
+      Success(user)
+    rescue WardenOpenidAuth::OpenidConfigFetchError
+      Failure(message: 'Could not fetch OpenID Configuration Document')
+    rescue WardenOpenidAuth::JWKSFetchError
+      Failure(message: 'Could not fetch JSON Web Key Set to verify token.')
+    end
+
+    def fetch_token
+      result = client.post(openid_metadata.token_endpoint, fetch_token_post_params)
+      return Failure(message: 'Unable to exchange authorization code for a token.') unless result.success?
+
+      Success(result.body['id_token'])
+    rescue Faraday::Error
+      Failure(message: 'Unable to exchange authorization code for a token.')
+    end
+
+    def validate_token(token)
+      Success(JWT.decode(token, nil, true, decode_opts).first)
+    rescue JWT::DecodeError
+      Failure(message: 'There was an error with the id token recieved. Please try again.')
+    end
+
+    def fetch_user(claims)
+      result = config.user_finder.call(claims)
+      return result if result.is_a?(Dry::Monads::Result)
+      return Failure(message: 'Could not find user.') if result.nil?
+
+      Success(result)
+    end
+
+    def fetch_token_post_params
+      {
+        client_id: config.client_id,
+        code: params['code'],
+        redirect_uri: "#{request.base_url}#{request.path}",
+        grant_type: 'authorization_code',
+        client_secret: config.client_secret
+      }
+    end
+
+    # rubocop:disable Metrics/MethodLength
+    def decode_opts
+      {
+        algorithm: 'RS256',
+        verify_expiration: true,
+        verify_not_before: true,
+        verify_iat: true,
+        verify_iss: true,
+        iss: openid_metadata.issuer,
+        verify_aud: true,
+        aud: config.client_id,
+        jwks: jwks.key_set
+      }
+    end
+    # rubocop:enable Metrics/MethodLength
+
+    def client
+      Faraday.new(nil, request: { timeout: 5 }) do |f|
+        f.request :url_encoded
+        f.request :retry
+        f.response :json
+      end
+    end
+
+    def config
+      WardenOpenidAuth.config
+    end
+
+    def openid_metadata
+      @openid_metadata ||= WardenOpenidAuth::OpenidMetadata.new(config: config)
+    end
+
+    def jwks
+      WardenOpenidAuth::JWKS.new(jwks_url: openid_metadata.jwks_uri, config: config)
+    end
+  end
+end

data/lib/warden_openid_auth/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module WardenOpenidAuth
+  VERSION = '0.1.0'
+end

data/lib/warden_openid_auth.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'dry-configurable'
+
+require 'warden_openid_auth/version'
+require 'warden_openid_auth/openid_metadata'
+require 'warden_openid_auth/jwks'
+require 'warden_openid_auth/strategy'
+require 'warden_openid_auth/errors'
+
+module WardenOpenidAuth
+  extend Dry::Configurable
+
+  setting :client_id
+  setting :client_secret
+  setting :openid_metadata_url, constructor: ->(url) { URI(url) }
+  setting :cache
+  setting :cache_options
+  setting :user_finder, default: proc {}
+end
+
+Warden::Strategies.add(:openid, WardenOpenidAuth::Strategy)

data/warden_openid_auth.gemspec

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative 'lib/warden_openid_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'warden_openid_auth'
+  spec.version = WardenOpenidAuth::VERSION
+  spec.authors = ['Blayne Farinha']
+  spec.email = ['blayne.farinha@gmail.com']
+
+  spec.summary = 'A warden strategy to login via OpenID'
+  spec.homepage = 'https://github.com/blafri/warden_openid_auth'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.0'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/blafri/warden_openid_auth'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+  spec.add_dependency 'dry-configurable', '~> 0.14'
+  spec.add_dependency 'faraday', '~> 2.2'
+  spec.add_dependency 'faraday-retry', '~> 1.0'
+  spec.add_dependency 'jwt', '~> 2.3'
+  spec.add_dependency 'dry-monads', '~> 1.4'
+  spec.add_dependency 'warden', '~> 1.2'
+
+  # For more information and examples about making a new gem, checkout our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

metadata

@@ -0,0 +1,146 @@
+--- !ruby/object:Gem::Specification
+name: warden_openid_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Blayne Farinha
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-03-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-configurable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: dry-monads
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: 
+email:
+- blayne.farinha@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/warden_openid_auth.rb
+- lib/warden_openid_auth/errors.rb
+- lib/warden_openid_auth/jwks.rb
+- lib/warden_openid_auth/openid_metadata.rb
+- lib/warden_openid_auth/strategy.rb
+- lib/warden_openid_auth/version.rb
+- warden_openid_auth.gemspec
+homepage: https://github.com/blafri/warden_openid_auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/blafri/warden_openid_auth
+  source_code_uri: https://github.com/blafri/warden_openid_auth
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.32
+signing_key: 
+specification_version: 4
+summary: A warden strategy to login via OpenID
+test_files: []