RubyGems - web47sso - Versions diffs - 0.1.0 - Mend

web47sso 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

checksums.yaml +7 -0
data/.bundle/config +3 -0
data/.circleci/config.yml +172 -0
data/.gitignore +59 -0
data/.rubocop.yml +34 -0
data/.ruby-version +1 -0
data/.travis.yml +7 -0
data/CODE_OF_CONDUCT.md +74 -0
data/Gemfile +5 -0
data/Gemfile.lock +440 -0
data/LICENSE +21 -0
data/LICENSE.txt +21 -0
data/README.md +68 -0
data/Rakefile +10 -0
data/app/assets/config/manifest.js +3 -0
data/app/controllers/sso_google_servers_controller.rb +44 -0
data/app/jobs/cron/trim_secure_requests.rb +20 -0
data/app/views/sso_google_servers/_form.html.haml +16 -0
data/app/views/sso_google_servers/edit.html.haml +10 -0
data/app/views/sso_google_servers/new.html.haml +9 -0
data/app/views/sso_servers/index.html.haml +28 -0
data/bin/console +14 -0
data/bin/setup +8 -0
data/config/locales/en.yml +5 -0
data/coverage_merge.rb +28 -0
data/lib/app/controllers/concerns/core_sso_servers_controller.rb +58 -0
data/lib/app/models/secure_request.rb +73 -0
data/lib/app/models/sso_google_server.rb +28 -0
data/lib/app/models/sso_oauth_server.rb +212 -0
data/lib/app/models/sso_oauth_token.rb +22 -0
data/lib/app/models/sso_server.rb +61 -0
data/lib/app/models/sso_user_login_request.rb +11 -0
data/lib/app/models/user_login_request.rb +15 -0
data/lib/app/models/user_request.rb +22 -0
data/lib/web47sso/version.rb +3 -0
data/lib/web47sso.rb +16 -0
data/web47sso.gemspec +61 -0
metadata +406 -0

data/bin/console ADDED Viewed

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+require "bundler/setup"
+require "web47sso"
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+require "irb"
+IRB.start(__FILE__)

data/bin/setup ADDED Viewed

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+bundle install
+# Do any other automated setup that you need to do here

data/config/locales/en.yml ADDED Viewed

@@ -0,0 +1,5 @@
+en:
+  ui_form:
+  sso_servers:
+    index:
+      title: SSO Servers

data/coverage_merge.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'simplecov'
+require 'simplecov_lcov_formatter'
+# Load up the files in the workspace and merge or collate them together.
+# This should kick out a single coverage file out
+SimpleCov::Formatter::LcovFormatter.config do |c|
+  c.single_report_path = 'coverage/final.lcov'
+  c.report_with_single_file = true
+end
+SimpleCov.collate Dir['/tmp/workspace/lcov/*.json'], 'rails' do
+  add_filter '/spec/'
+  add_filter '/config/'
+  add_filter '/lib/'
+  add_filter '/test/'
+  add_filter '/vendor/'
+  add_filter '/config/'
+  add_filter '/db/'
+  add_filter '/public/'
+  add_filter '/coverage_merge.rb'
+  add_filter '/Gemfile'
+  add_filter '/Rakefile'
+  add_filter '/Gemfile.lock'
+  add_filter '/rubocop.yml'
+  enable_coverage :branch
+  formatter SimpleCov::Formatter::LcovFormatter
+end

data/lib/app/controllers/concerns/core_sso_servers_controller.rb ADDED Viewed

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+#
+# Manage SSO severs
+#
+module CoreSsoServersController
+  include CoreController
+  include App47Logger
+  def index
+    @sso_servers = SsoServer.asc(:name)
+  end
+  def update
+    sso_server.update_attributes_and_log!(current_user, sso_server_params)
+    flash[:notice] = 'SSO Server updated'
+    redirect_to_referrer sso_servers_path
+  rescue StandardError => error
+    log_controller_error error
+    render :edit
+  end
+  def create
+    sso_server.save_and_log! current_user, sso_server_params
+    flash[:notice] = 'SSO Server created'
+    redirect_to_referrer sso_servers_path
+  rescue StandardError => error
+    log_controller_error error
+    render :new
+  end
+  def destroy
+    sso_server.destroy_and_log current_user
+    flash[:notice] = 'SSO Server removed'
+    redirect_to_referrer sso_servers_path
+  rescue StandardError => error
+    log_controller_error error, true
+    redirect_to_referrer sso_servers_path
+  end
+  private
+  def sso_server
+    @sso_server
+  end
+  #
+  # Parameters
+  #
+  def sso_server_params
+    params[:sso_server][:active] ||= 'off'
+    params[:sso_server].permit(allowed_param_names)
+  end
+  def allowed_param_names
+    SsoServer.allowed_param_names
+  end
+end

data/lib/app/models/secure_request.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+#
+# Capture a secure request transaction
+#
+class SecureRequest
+  include StandardModel
+  #
+  # Fields
+  #
+  field :code, { type: String }
+  field :used, { type: Boolean, default: false }
+  field :ip_address, { type: String }
+  field :user_agent, { type: String }
+  field :valid_duration_hrs, { type: Integer, default: 1 }
+  # Make consumed and alias synonyms
+  alias consumed? used
+  # Make state and ID the same
+  alias state id
+  # @abstract Consume the requests, but also verify it's valid before doing so
+  # @param [Hash] options - options to update based on request
+  def consume!(options = {})
+    raise 'Expired request' if expired?
+    raise 'Consumed request' if consumed?
+    consume(options)
+  end
+  # @@abstract Mark this request as consumed recording the user and request information if given
+  # @param [Hash] options - options to update based on request
+  def consume(options = {})
+    self.used = true
+    if options[:request].present?
+      self.ip_address = options[:request].remote_ip
+      self.user_agent = options[:request].user_agent
+    end
+    save!
+  end
+  #
+  # What is the current status?
+  #
+  def status
+    if expired?
+      'Expired'
+    elsif consumed?
+      'Consumed'
+    else
+      'New'
+    end
+  end
+  # @abstract Check if expired or used
+  # @return Boolean - True if we are good to go, false otherwise
+  def good?
+    !consumed? && not_expired?
+  end
+  # @abstract Check if expired
+  # @return Boolean - True if we are good to go, false otherwise
+  def expired?
+    created_at < valid_duration_hrs.hours.ago.utc
+  rescue StandardError
+    true
+  end
+  # @abstract Check if not expired
+  # @return Boolean
+  def not_expired?
+    !expired?
+  end
+end

data/lib/app/models/sso_google_server.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+#
+# Google OAuth 2.0
+#
+class SsoGoogleServer < SsoOauthServer
+  #
+  # Google Server SSO name
+  #
+  def display_name
+    'Google OAuth 2.0'
+  end
+  private
+  #
+  # Google SSO settings
+  #
+  def customize_defaults
+    self.server_url ||= 'https://accounts.google.com'
+    self.auth_url ||= 'https://accounts.google.com/o/oauth2/auth'
+    self.token_url ||= 'https://accounts.google.com/o/oauth2/token'
+    self.profile_url ||= 'https://www.googleapis.com/userinfo/v2/me'
+    self.redirect_path ||= 'auth/google'
+    self.scopes ||= 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'
+    super
+  end
+end

data/lib/app/models/sso_oauth_server.rb ADDED Viewed

@@ -0,0 +1,212 @@
+# frozen_string_literal: true
+#
+# OAuth 2.0 Server
+#
+class SsoOauthServer < SsoServer
+  # Fields
+  field :server_url, type: String
+  field :auth_url, type: String
+  field :token_url, type: String
+  field :profile_url, type: String
+  field :redirect_path, type: String
+  field :client_id, type: String
+  field :client_secret, type: String
+  field :scopes, type: String
+  # Validations
+  validates :client_id, presence: true
+  validates :client_secret, presence: true
+  # @abstract Using the appropriate SSO server configuration obtain the user profile address
+  # @return Hash - User profile as a hash
+  def user_profile(code)
+    # Exchange the code to validate the token
+    token = exchange(SystemConfiguration.base_url, code)
+    log_debug "user_profile token: #{token.inspect}"
+    raise 'Invalid token' unless token.present? && token.valid?
+    # Get scoped information using the access token
+    user_profile = get_profile(token)
+    log_debug "user_profile user_profile: #{user_profile.inspect}"
+    raise 'Failed to retrieve user profile from provider' if user_profile.blank?
+    # user_profile.symbolize_keys
+    clean_user_profile(user_profile)
+  end
+  # @abstract Default mapping of user profile keys to what the caller is expecting
+  # @return Hash - Mapping of key names for the user profile
+  def profile_key_mapping
+    @profile_key_mapping ||= { name: 'name', email: 'email' }
+  end
+  # @abstract Clean up the user profile to only return what is listed in the key mapping. Not everything
+  # @return Hash - The user profile using the mapping from this class
+  def clean_user_profile(user_profile)
+    profile = {}
+    profile_key_mapping.each do |key, value|
+      profile[key] = user_profile[value]
+    end
+    profile
+  end
+  # @abstract OAuth 2.0 provider's authorization endpoint URL
+  # @return URL - The URL for the authorization end point
+  def auth_endpoint
+    return nil if server_url.blank? || auth_url.blank?
+    prefix_server auth_url
+  end
+  # @abstract OAuth 2.0 provider's token endpoint URL
+  # @return URL - the Token endpoint
+  def token_endpoint
+    return nil if server_url.blank? || token_url.blank?
+    prefix_server token_url
+  end
+  # @abstract OAuth 2.0 provider's profile endpoint URL
+  # @return Profile end point
+  def profile_endpoint
+    return nil if server_url.blank? || profile_url.blank?
+    prefix_server profile_url
+  end
+  # @abstract URL to redirect users to going through the flow
+  # @return URL - Redirect URL for this server
+  def redirect_uri(root_url = SystemConfiguration.base_url)
+    return root_url if redirect_path.blank? || root_url.blank?
+    [root_url, (root_url.end_with?('/') ? '' : '/'), redirect_path.gsub(%r{^/+}, '')].join
+  end
+  # @abstract Scope specifies optional requested permissions
+  # @return Array[String] - Scopes for this server
+  def requested_scopes
+    scopes.present? ? scopes.split(' ') : []
+  end
+  #
+  # Returns a URL to the OAuth 2.0 provider's consent page
+  # asking for permissions for the given scopes explicitly.
+  #
+  # State is a token to protect the user from CSRF attacks. You
+  # must always provide a non-zero string and validate that it
+  # matches the state query parameter on your redirect callback.
+  #
+  def auth_code_url(request, parameters = {})
+    super
+    uri = URI(auth_endpoint)
+    uri.query = parameters.merge(response_type: 'code',
+                                 client_id: client_id,
+                                 redirect_uri: redirect_uri,
+                                 scope: requested_scopes.join(' '),
+                                 state: request.state).to_query
+    uri.to_s
+  end
+  #
+  # Exchange will convert an authorization code into a token.
+  #
+  def exchange(root_url, code)
+    response = send_request_for_exchange(root_url, code)
+    log_debug response.body.inspect
+    raise 'Cannot fetch token' unless response.code.between? 200, 299
+    extract_token(response_values(response))
+  rescue StandardError => error
+    log_error 'Unable to retrieve profile', error
+    nil
+  end
+  # @abstract Get the profile given an access token, can be overriden by concrete implementations.
+  # @param [SsoOauthToken] access_token
+  # @return [Hash]
+  def get_profile(access_token)
+    log_debug "get_profile profile_endpoint: #{profile_endpoint} with token: #{access_token.inspect}"
+    response = RestClient.get(profile_endpoint, Authorization: access_token.authorization)
+    log_debug "get_profile response: #{response.body}"
+    response_values(response)
+  end
+  #
+  # Based on the response content type get a hash of values.
+  #
+  def response_values(response)
+    log_debug "response_values response: #{response.inspect}"
+    case response.headers[:content_type]
+    when 'application/x-www-form-urlencoded', 'text/plain'
+      log_debug "form or plain text response: #{response.body}"
+      log_debug Rack::Utils.parse_nested_query(response.body).inspect
+      Rack::Utils.parse_nested_query(response.body)
+    else
+      log_debug "json: #{response.body}"
+      JSON.parse(response.body)
+    end
+  end
+  #
+  # Token will come in the following schema (hopefully)
+  #
+  #  - AccessToken: access_token
+  #  - TokenType: token_type
+  #  - Refresh Token: refresh_token
+  #  - Expiry: expires_in, expires (thank you FB)
+  #
+  def extract_token(vals)
+    log_debug "extract_token: #{vals.inspect}"
+    token = SsoOauthToken.new
+    token.access_token = vals['access_token']
+    token.token_type = vals['token_type']
+    token.refresh_token = vals['refresh_token']
+    # Convert `e` to integer and then to a time
+    e = vals['expires_in']
+    e = vals['expires'] if e.blank?
+    token.expiry = Time.now.utc + e.to_i.seconds unless e.blank?
+    token
+  end
+  private
+  #
+  # If a relative path was given prepend the server as the base
+  #
+  def prefix_server(path)
+    if path.start_with?(server_url) || path.starts_with?('http')
+      path
+    else
+      "#{server_url.chomp('/')}/#{path.gsub(%r{^/+}, '')}"
+    end
+  end
+  #
+  # Send HTTP POST to exchange the authorization code for an access token.
+  #
+  def send_request_for_exchange(root_url, code)
+    RestClient.post(token_endpoint,
+                    {
+                      grant_type: 'authorization_code',
+                      client_id: client_id,
+                      client_secret: client_secret,
+                      code: code,
+                      redirect_uri: redirect_uri(root_url),
+                      scope: requested_scopes.join(' ')
+                    },
+                    content_type: 'application/x-www-form-urlencoded',
+                    accept: :json)
+  rescue RestClient::ExceptionWithResponse => error
+    log_error "Unable to fetch OAuth token #{inspect}, #{response.inspect}", error
+    log_error "Redirect_uri #{redirect_uri(root_url)}"
+    log_error "response body #{response.body}"
+    raise error
+  end
+  def customize_defaults
+    self.redirect_path ||= 'auth/oauth'
+    super
+  end
+end

data/lib/app/models/sso_oauth_token.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+#
+# OAuth 2.0 Token
+#
+class SsoOauthToken
+  attr_accessor :access_token, :token_type, :refresh_token, :expiry
+  # @abstract The authorization string for this token type
+  # @return String
+  def authorization
+    [type, access_token].compact.join(' ')
+  end
+  def type
+    @token_type.presence || 'Bearer'
+  end
+  def valid?
+    @access_token.present? && (@expiry.nil? || Time.now.utc < @expiry)
+  end
+end

data/lib/app/models/sso_server.rb ADDED Viewed

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+#
+# Base server container for an account which can have 0..N sso servers configured.
+#
+class SsoServer
+  include StandardModel
+  include SearchAble
+  #
+  # fields
+  #
+  field :active, type: Boolean, default: false
+  field :name, type: String
+  field :logout_url, type: String
+  #
+  # relationships
+  #
+  has_many :users, inverse_of: :sso_server, dependent: :nullify, class_name: 'User'
+  has_many :requests, inverse_of: :sso_server, class_name: 'SsoUserLoginRequest', dependent: :destroy
+  #
+  # Validations
+  #
+  validates :name, presence: true, uniqueness: true
+  validates :logout_url, url: true, allow_blank: true
+  #
+  # callbacks
+  #
+  after_initialize :customize_defaults
+  # @abstract Default is to do nothing, but subclasses may override this
+  def customize_defaults; end
+  # @abstract Display name for this server, should be overridden by concrete implementations.
+  # @return String
+  def display_name
+    'SSO Server'
+  end
+  # @abstract Return the welcome message
+  # @return String
+  def display_instructions
+    "Click to get started with #{display_name}"
+  end
+  # @abstract Using the appropriate SSO server configuration obtain the
+  # user profile address, this should be implemented by the child class.
+  # @return Hash
+  # @raise NotImplementedError if the method is not implemented in the concrete class
+  def user_profile(_code)
+    raise NotImplementedError, 'Failed to retrieve user profile from provider'
+  end
+  # @abstract Get the authentication URL for the SSO Server, must be implemented by the concrete class
+  # @return URL
+  def auth_code_url(request, _parameters = {})
+    return if request.is_a?(SsoUserLoginRequest)
+    request = request.becomes(SsoUserLoginRequest)
+    request.update! sso_server: self
+  end
+end

data/lib/app/models/sso_user_login_request.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+#
+# Capture the request of an SSO authentication
+#
+class SsoUserLoginRequest < UserLoginRequest
+  #
+  # Relationships
+  #
+  belongs_to :sso_server, { inverse_of: :requests }
+end

data/lib/app/models/user_login_request.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+#
+# Capture the request of a User authentication
+#
+class UserLoginRequest < UserRequest
+  #
+  # Fields
+  #
+  field :browser_uid, { type: String }
+  #
+  # Validations
+  #
+  validates :browser_uid, presence: true
+end

data/lib/app/models/user_request.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+#
+# Capture the request for a user
+#
+class UserRequest < SecureRequest
+  #
+  # Relationships
+  #
+  belongs_to :user, { inverse_of: :requests, optional: true, class_name: 'User' }
+  # @abstract Mark this request as consumed recording the user and request information if given
+  def consume(options = {})
+    self.user = options[:user] if options[:user].present?
+    super
+  end
+  # @abstract Return the end point for the given request
+  def default_uri(endpoint_path = 'home')
+    [SystemConfiguration.base_url, endpoint_path].join('/')
+  end
+end

data/lib/web47sso/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module Web47sso
+  VERSION = '0.1.0'
+end

data/lib/web47sso.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require "web47sso/version"
+require 'app/models/secure_request'
+require 'app/models/sso_server'
+require 'app/models/sso_oauth_server'
+require 'app/models/sso_google_server'
+require 'app/models/sso_oauth_token'
+require 'app/models/user_request'
+require 'app/models/user_login_request'
+require 'app/models/sso_user_login_request'
+require 'app/controllers/concerns/core_sso_servers_controller'
+module Web47sso
+  class Error < StandardError; end
+  # Your code goes here...
+end

data/web47sso.gemspec ADDED Viewed

@@ -0,0 +1,61 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "web47sso/version"
+Gem::Specification.new do |spec|
+  spec.name          = "web47sso"
+  spec.version       = Web47sso::VERSION
+  spec.authors       = ["Chris Schroeder"]
+  spec.email         = ["chris@app47.com"]
+  spec.summary       = %q{App47 Web SSO}
+  spec.description   = %q{Single Sign On (SSO) components used in several App47 Apps}
+  spec.homepage      = "https://github.com/App47/web47sso.git"
+  spec.license       = "MIT"
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = 'https://rubygems.org'
+    spec.metadata["homepage_uri"] = spec.homepage
+    spec.metadata["source_code_uri"] = "https://github.com/App47/web47sso.git"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_runtime_dependency 'mongoid', '~> 9.0'
+  spec.add_runtime_dependency 'web47core', '~> 3.2.28'
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency 'brakeman'
+  spec.add_development_dependency 'codacy-coverage'
+  spec.add_development_dependency 'database_cleaner-mongoid'
+  spec.add_development_dependency 'factory_bot'
+  spec.add_development_dependency 'factory_bot_rails'
+  spec.add_development_dependency 'listen'
+  spec.add_development_dependency 'minitest-rails'
+  spec.add_development_dependency 'minitest-reporters'
+  spec.add_development_dependency 'mocha'
+  spec.add_development_dependency 'rails', '~> 7.2.2'
+  spec.add_development_dependency 'railties'
+  spec.add_development_dependency 'sass-rails'
+  spec.add_development_dependency 'shoulda', '~> 4.0.0'
+  spec.add_development_dependency 'shoulda-context'
+  spec.add_development_dependency 'shoulda-matchers'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov_lcov_formatter'
+  spec.add_development_dependency 'test-unit'
+  spec.add_development_dependency 'webmock'
+end