From 031679762a5b519fe708b3853cee40420b0bea00 Mon Sep 17 00:00:00 2001 From: augier Date: Sun, 13 Sep 2015 14:44:22 -0700 Subject: [PATCH] Redesign the models --- .../authorizations_controller.rb | 6 +- .../openid_connect/clients_controller.rb | 2 +- .../openid_connect/discovery_controller.rb | 56 +++++++++---------- app/models/authorization.rb | 7 --- app/models/openid_connect/authorization.rb | 43 ++++++++++++++ .../authorization_scope.rb | 0 .../o_auth_access_token.rb} | 5 +- .../o_auth_application.rb | 4 +- app/models/{ => openid_connect}/scope.rb | 2 +- .../{ => openid_connect}/scopes_tokens.rb | 2 +- app/models/refresh_token.rb | 26 --------- app/models/user.rb | 22 ++++---- config/application.rb | 2 +- ...50614134031_create_o_auth_access_tokens.rb | 13 +++++ db/migrate/20150614134031_create_tokens.rb | 15 ----- .../20150708153926_create_authorizations.rb | 1 + ...create_authorizations_scopes_join_table.rb | 2 +- ...8155747_create_scopes_tokens_join_table.rb | 2 +- .../20150713132035_create_refresh_token.rb | 14 ----- db/schema.rb | 56 +++++++++++++++---- lib/account_deleter.rb | 7 ++- .../{authorization => endpoints}/endpoint.rb | 7 ++- .../endpoint_confirmation_point.rb | 2 +- .../endpoint_start_point.rb | 4 +- lib/openid_connect/token_endpoint.rb | 14 ++--- .../authorizations_controller_spec.rb | 6 +- .../protected_resource_endpoint_spec.rb | 6 +- .../lib/openid_connect/token_endpoint_spec.rb | 2 +- 28 files changed, 181 insertions(+), 147 deletions(-) delete mode 100644 app/models/authorization.rb create mode 100644 app/models/openid_connect/authorization.rb rename app/models/{ => openid_connect}/authorization_scope.rb (100%) rename app/models/{token.rb => openid_connect/o_auth_access_token.rb} (84%) rename app/models/{ => openid_connect}/o_auth_application.rb (85%) rename app/models/{ => openid_connect}/scope.rb (79%) rename app/models/{ => openid_connect}/scopes_tokens.rb (68%) delete mode 100644 app/models/refresh_token.rb create mode 100644 db/migrate/20150614134031_create_o_auth_access_tokens.rb delete mode 100644 db/migrate/20150614134031_create_tokens.rb delete mode 100644 db/migrate/20150713132035_create_refresh_token.rb rename lib/openid_connect/{authorization => endpoints}/endpoint.rb (77%) rename lib/openid_connect/{authorization => endpoints}/endpoint_confirmation_point.rb (97%) rename lib/openid_connect/{authorization => endpoints}/endpoint_start_point.rb (89%) diff --git a/app/controllers/openid_connect/authorizations_controller.rb b/app/controllers/openid_connect/authorizations_controller.rb index c16d0ae9c..e5f39e8b0 100644 --- a/app/controllers/openid_connect/authorizations_controller.rb +++ b/app/controllers/openid_connect/authorizations_controller.rb @@ -17,7 +17,7 @@ class OpenidConnect::AuthorizationsController < ApplicationController private def request_authorization_consent_form - endpoint = OpenidConnect::Authorization::EndpointStartPoint.new(current_user) + endpoint = OpenidConnect::Endpoints::EndpointStartPoint.new(current_user) handle_startpoint_response(endpoint) end @@ -35,7 +35,7 @@ class OpenidConnect::AuthorizationsController < ApplicationController end def process_authorization_consent(approvedString) - endpoint = OpenidConnect::Authorization::EndpointConfirmationPoint.new(current_user, to_boolean(approvedString)) + endpoint = OpenidConnect::Endpoints::EndpointConfirmationPoint.new(current_user, to_boolean(approvedString)) restore_request_parameters(endpoint) handle_confirmation_endpoint_response(endpoint) end @@ -56,7 +56,7 @@ class OpenidConnect::AuthorizationsController < ApplicationController req.update_param("redirect_uri", session[:redirect_uri]) req.update_param("response_type", session[:response_type]) endpoint.scopes, endpoint.request_object = - session[:scopes].map {|scope| Scope.find_by_name(scope) }, session[:request_object] + session[:scopes].map {|scope| OpenidConnect::Scope.find_by_name(scope) }, session[:request_object] end def to_boolean(str) diff --git a/app/controllers/openid_connect/clients_controller.rb b/app/controllers/openid_connect/clients_controller.rb index bc28752e3..a00b9d3d8 100644 --- a/app/controllers/openid_connect/clients_controller.rb +++ b/app/controllers/openid_connect/clients_controller.rb @@ -9,7 +9,7 @@ class OpenidConnect::ClientsController < ApplicationController def create registrar = OpenIDConnect::Client::Registrar.new(request.url, params) - client = OAuthApplication.register! registrar + client = OpenidConnect::OAuthApplication.register! registrar render json: client end diff --git a/app/controllers/openid_connect/discovery_controller.rb b/app/controllers/openid_connect/discovery_controller.rb index 020c05c2f..c06678fa3 100644 --- a/app/controllers/openid_connect/discovery_controller.rb +++ b/app/controllers/openid_connect/discovery_controller.rb @@ -1,32 +1,30 @@ -module OpenidConnect - class DiscoveryController < ApplicationController - def webfinger - jrd = { - links: [{ - rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE, - href: File.join(root_url, "openid_connect") - }] - } - jrd[:subject] = params[:resource] if params[:resource].present? - render json: jrd, content_type: "application/jrd+json" - end +class OpenidConnect::DiscoveryController < ApplicationController + def webfinger + jrd = { + links: [{ + rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE, + href: File.join(root_url, "openid_connect") + }] + } + jrd[:subject] = params[:resource] if params[:resource].present? + render json: jrd, content_type: "application/jrd+json" + end - def configuration - render json: OpenIDConnect::Discovery::Provider::Config::Response.new( - issuer: root_url, - registration_endpoint: openid_connect_clients_url, - authorization_endpoint: new_openid_connect_authorization_url, - token_endpoint: openid_connect_access_tokens_url, - userinfo_endpoint: api_v0_user_url, - jwks_uri: "https://not_configured_yet.com", # TODO: File.join({new_openid_connect_authorization_path} + "/jwks.json"), - scopes_supported: Scope.pluck(:name), - response_types_supported: OAuthApplication.available_response_types, - request_object_signing_alg_values_supported: %i(HS256 HS384 HS512), - subject_types_supported: %w(public pairwise), - id_token_signing_alg_values_supported: %i(RS256), - token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post), - # TODO: claims_supported: ["sub", "iss", "name", "email"] - ) - end + def configuration + render json: OpenIDConnect::Discovery::Provider::Config::Response.new( + issuer: root_url, + registration_endpoint: openid_connect_clients_url, + authorization_endpoint: new_openid_connect_authorization_url, + token_endpoint: openid_connect_access_tokens_url, + userinfo_endpoint: api_v0_user_url, + jwks_uri: "https://not_configured_yet.com", # TODO: File.join({new_openid_connect_authorization_path} + "/jwks.json"), + scopes_supported: Scope.pluck(:name), + response_types_supported: OAuthApplication.available_response_types, + request_object_signing_alg_values_supported: %i(HS256 HS384 HS512), + subject_types_supported: %w(public pairwise), + id_token_signing_alg_values_supported: %i(RS256), + token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post), + # TODO: claims_supported: ["sub", "iss", "name", "email"] + ) end end diff --git a/app/models/authorization.rb b/app/models/authorization.rb deleted file mode 100644 index a94e9edf2..000000000 --- a/app/models/authorization.rb +++ /dev/null @@ -1,7 +0,0 @@ -class Authorization < ActiveRecord::Base - belongs_to :user - belongs_to :o_auth_application - has_many :scopes, through: :authorization_scopes - - # TODO: Incomplete class -end diff --git a/app/models/openid_connect/authorization.rb b/app/models/openid_connect/authorization.rb new file mode 100644 index 000000000..1b0b97f76 --- /dev/null +++ b/app/models/openid_connect/authorization.rb @@ -0,0 +1,43 @@ +class OpenidConnect::Authorization < ActiveRecord::Base + belongs_to :user + belongs_to :o_auth_application + has_many :scopes, through: :authorization_scopes + has_many :o_auth_access_tokens + + before_validation :setup, on: :create + + validates :refresh_token, uniqueness: true + validates :user, :o_auth_application, uniqueness: true + + # TODO: Incomplete class + + def setup + self.refresh_token = nil + end + + def self.valid?(token) + OpenidConnect::Authorization.exists? refresh_token: token + end + + def create_refresh_token + self.refresh_token = SecureRandom.hex(32) + end + + def create_token + o_auth_access_tokens.create!.bearer_token + end + + def self.find_by_client_id_and_user(client_id, user) + app = OpenidConnect::OAuthApplication.find_by(client_id: client_id) + find_by(o_auth_application: app, user: user) + end + + def self.find_or_create(client_id, user) + auth = find_by_client_id_and_user client_id, user + unless auth + # TODO: Handle creation error + auth = create! user: user, o_auth_application: OpenidConnect::OAuthApplication.find_by(client_id: client_id) + end + auth + end +end diff --git a/app/models/authorization_scope.rb b/app/models/openid_connect/authorization_scope.rb similarity index 100% rename from app/models/authorization_scope.rb rename to app/models/openid_connect/authorization_scope.rb diff --git a/app/models/token.rb b/app/models/openid_connect/o_auth_access_token.rb similarity index 84% rename from app/models/token.rb rename to app/models/openid_connect/o_auth_access_token.rb index e50796a38..bb7c8d90e 100644 --- a/app/models/token.rb +++ b/app/models/openid_connect/o_auth_access_token.rb @@ -1,7 +1,7 @@ -class Token < ActiveRecord::Base +class OpenidConnect::OAuthAccessToken < ActiveRecord::Base belongs_to :user + belongs_to :authorization has_many :scopes, through: :scope_tokens - has_one :refresh_token before_validation :setup, on: :create @@ -11,7 +11,6 @@ class Token < ActiveRecord::Base def setup self.token = SecureRandom.hex(32) - self.refresh_token = RefreshToken.create! self.expires_at = 24.hours.from_now end diff --git a/app/models/o_auth_application.rb b/app/models/openid_connect/o_auth_application.rb similarity index 85% rename from app/models/o_auth_application.rb rename to app/models/openid_connect/o_auth_application.rb index 0b6b2b9df..a5b1de35e 100644 --- a/app/models/o_auth_application.rb +++ b/app/models/openid_connect/o_auth_application.rb @@ -1,7 +1,8 @@ -class OAuthApplication < ActiveRecord::Base +class OpenidConnect::OAuthApplication < ActiveRecord::Base belongs_to :user has_many :authorizations + has_many :user, through: :authorizations validates :client_id, presence: true, uniqueness: true validates :client_secret, presence: true @@ -9,6 +10,7 @@ class OAuthApplication < ActiveRecord::Base serialize :redirect_uris, JSON before_validation :setup, on: :create + def setup self.client_id = SecureRandom.hex(16) self.client_secret = SecureRandom.hex(32) diff --git a/app/models/scope.rb b/app/models/openid_connect/scope.rb similarity index 79% rename from app/models/scope.rb rename to app/models/openid_connect/scope.rb index a2cccb2da..8fb8b28ed 100644 --- a/app/models/scope.rb +++ b/app/models/openid_connect/scope.rb @@ -1,4 +1,4 @@ -class Scope < ActiveRecord::Base +class OpenidConnect::Scope < ActiveRecord::Base has_many :tokens, through: :scope_tokens has_many :authorizations, through: :authorization_scopes diff --git a/app/models/scopes_tokens.rb b/app/models/openid_connect/scopes_tokens.rb similarity index 68% rename from app/models/scopes_tokens.rb rename to app/models/openid_connect/scopes_tokens.rb index 82f3d1c5e..de790ef63 100644 --- a/app/models/scopes_tokens.rb +++ b/app/models/openid_connect/scopes_tokens.rb @@ -1,4 +1,4 @@ -class ScopeToken < ActiveRecord::Base +class OpenidConnect::ScopeToken < ActiveRecord::Base belongs_to :scope belongs_to :token diff --git a/app/models/refresh_token.rb b/app/models/refresh_token.rb deleted file mode 100644 index 08fcc6f47..000000000 --- a/app/models/refresh_token.rb +++ /dev/null @@ -1,26 +0,0 @@ -class RefreshToken < ActiveRecord::Base - belongs_to :token - - before_validation :setup, on: :create - - validates :refresh_token, presence: true, uniqueness: true - - attr_reader :refresh_token - - def setup - self.refresh_token = SecureRandom.hex(32) - # No expipration date for now - end - - # Finds the requested refresh token and destroys it if found; returns true if found, false otherwise - def valid?(token) - the_token = RefreshToken.find_by_refresh_token token - if the_token - RefreshToken.destroy_all refresh_token: the_token.refresh_token - Token.destroy_all refresh_token: the_token.refresh_token - true - else - false - end - end -end diff --git a/app/models/user.rb b/app/models/user.rb index 6c98eeb73..945ae434e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -76,9 +76,9 @@ class User < ActiveRecord::Base has_many :reports - has_many :o_auth_applications - has_many :authorizations - has_many :tokens + has_many :authorizations, class_name: 'OpenidConnect::Authorization' + has_many :o_auth_applications, through: :authorizations, class_name: 'OpenidConnect::OAuthApplication' + has_many :o_auth_access_tokens, through: :authorizations, class_name: 'OpenidConnect::OAuthAccessToken' before_save :guard_unconfirmed_email, :save_person! @@ -602,15 +602,17 @@ class User < ActiveRecord::Base end end + def find_authorization_by_client_id(client_id) + OpenidConnect::Authorization.find_by_client_id_and_user client_id, self + end + private def clearable_fields - self.attributes.keys - ["id", "username", "encrypted_password", - "created_at", "updated_at", "locked_at", - "serialized_private_key", "getting_started", - "disable_mail", "show_community_spotlight_in_stream", - "strip_exif", "email", "remove_after", - "export", "exporting", "exported_at", - "exported_photos_file", "exporting_photos", "exported_photos_at"] + self.attributes.keys - %w(id username encrypted_password created_at updated_at locked_at + serialized_private_key getting_started + disable_mail show_community_spotlight_in_stream + strip_exif email remove_after export exporting exported_at + exported_photos_file exporting_photos exported_photos_at) end end diff --git a/config/application.rb b/config/application.rb index 49ddc6b1b..7fc97f5ca 100644 --- a/config/application.rb +++ b/config/application.rb @@ -109,7 +109,7 @@ module Diaspora config.action_mailer.asset_host = AppConfig.pod_uri.to_s config.middleware.use Rack::OAuth2::Server::Resource::Bearer, "OpenID Connect" do |req| - Token.valid(Time.now.utc).find_by(token: req.access_token) || req.invalid_token! + OpenidConnect::OAuthAccessToken.valid(Time.now.utc).find_by(token: req.access_token) || req.invalid_token! end end end diff --git a/db/migrate/20150614134031_create_o_auth_access_tokens.rb b/db/migrate/20150614134031_create_o_auth_access_tokens.rb new file mode 100644 index 000000000..8607500d1 --- /dev/null +++ b/db/migrate/20150614134031_create_o_auth_access_tokens.rb @@ -0,0 +1,13 @@ +class CreateOAuthAccessTokens < ActiveRecord::Migration + def self.up + create_table :o_auth_access_tokens do |t| + t.belongs_to :user, index: true + t.belongs_to :authorizations + t.belongs_to :endpoints + t.string :token + t.datetime :expires_at + + t.timestamps null: false + end + end +end diff --git a/db/migrate/20150614134031_create_tokens.rb b/db/migrate/20150614134031_create_tokens.rb deleted file mode 100644 index 5a5e292f4..000000000 --- a/db/migrate/20150614134031_create_tokens.rb +++ /dev/null @@ -1,15 +0,0 @@ -class CreateTokens < ActiveRecord::Migration - def self.up - create_table :tokens do |t| - t.belongs_to :user, index: true - t.string :token - t.datetime :expires_at - - t.timestamps null: false - end - end - - def self.down - drop_table :tokens - end -end diff --git a/db/migrate/20150708153926_create_authorizations.rb b/db/migrate/20150708153926_create_authorizations.rb index 572bdc83c..24acdc081 100644 --- a/db/migrate/20150708153926_create_authorizations.rb +++ b/db/migrate/20150708153926_create_authorizations.rb @@ -3,6 +3,7 @@ class CreateAuthorizations < ActiveRecord::Migration create_table :authorizations do |t| t.belongs_to :user, index: true t.belongs_to :o_auth_application, index: true + t.string :refresh_token t.timestamps null: false end diff --git a/db/migrate/20150708155202_create_authorizations_scopes_join_table.rb b/db/migrate/20150708155202_create_authorizations_scopes_join_table.rb index c91e50d11..48a5929ca 100644 --- a/db/migrate/20150708155202_create_authorizations_scopes_join_table.rb +++ b/db/migrate/20150708155202_create_authorizations_scopes_join_table.rb @@ -1,7 +1,7 @@ class CreateAuthorizationsScopesJoinTable < ActiveRecord::Migration def change create_table :authorizations_scopes, id: false do |t| - t.belongs_to :authorization, index: true + t.belongs_to :endpoints, index: true t.belongs_to :scope, index: true end end diff --git a/db/migrate/20150708155747_create_scopes_tokens_join_table.rb b/db/migrate/20150708155747_create_scopes_tokens_join_table.rb index b0416e5e8..a52835048 100644 --- a/db/migrate/20150708155747_create_scopes_tokens_join_table.rb +++ b/db/migrate/20150708155747_create_scopes_tokens_join_table.rb @@ -2,7 +2,7 @@ class CreateScopesTokensJoinTable < ActiveRecord::Migration def change create_table :scopes_tokens, id: false do |t| t.belongs_to :scope, index: true - t.belongs_to :token, index: true + t.belongs_to :o_auth_access_token, index: true end end end diff --git a/db/migrate/20150713132035_create_refresh_token.rb b/db/migrate/20150713132035_create_refresh_token.rb deleted file mode 100644 index e03632e12..000000000 --- a/db/migrate/20150713132035_create_refresh_token.rb +++ /dev/null @@ -1,14 +0,0 @@ -class RefreshToken < ActiveRecord::Migration - def change - create_table :refresh_token do - t.belongs_to :token - t.string :refresh_token - - t.timestamps null: false - end - end - - def self.down - drop_table :refresh_token - end -end diff --git a/db/schema.rb b/db/schema.rb index 27ab1e24c..d5b98ce39 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20151003142048) do +ActiveRecord::Schema.define(version: 20150708155747) do create_table "account_deletions", force: :cascade do |t| t.string "diaspora_handle", limit: 255 @@ -55,6 +55,25 @@ ActiveRecord::Schema.define(version: 20151003142048) do add_index "aspects", ["user_id", "contacts_visible"], name: "index_aspects_on_user_id_and_contacts_visible", using: :btree add_index "aspects", ["user_id"], name: "index_aspects_on_user_id", using: :btree + create_table "authorizations", force: :cascade do |t| + t.integer "user_id", limit: 4 + t.integer "o_auth_application_id", limit: 4 + t.string "refresh_token", limit: 255 + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + end + + add_index "authorizations", ["o_auth_application_id"], name: "index_authorizations_on_o_auth_application_id", using: :btree + add_index "authorizations", ["user_id"], name: "index_authorizations_on_user_id", using: :btree + + create_table "authorizations_scopes", id: false, force: :cascade do |t| + t.integer "authorization_id", limit: 4 + t.integer "scope_id", limit: 4 + end + + add_index "authorizations_scopes", ["authorization_id"], name: "index_authorizations_scopes_on_authorization_id", using: :btree + add_index "authorizations_scopes", ["scope_id"], name: "index_authorizations_scopes_on_scope_id", using: :btree + create_table "blocks", force: :cascade do |t| t.integer "user_id", limit: 4 t.integer "person_id", limit: 4 @@ -236,6 +255,17 @@ ActiveRecord::Schema.define(version: 20151003142048) do add_index "notifications", ["target_id"], name: "index_notifications_on_target_id", using: :btree add_index "notifications", ["target_type", "target_id"], name: "index_notifications_on_target_type_and_target_id", length: {"target_type"=>190, "target_id"=>nil}, using: :btree + create_table "o_auth_access_tokens", force: :cascade do |t| + t.integer "user_id", limit: 4 + t.integer "authorization_id", limit: 4 + t.string "token", limit: 255 + t.datetime "expires_at" + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + end + + add_index "o_auth_access_tokens", ["user_id"], name: "index_o_auth_access_tokens_on_user_id", using: :btree + create_table "o_auth_applications", force: :cascade do |t| t.integer "user_id", limit: 4 t.string "client_id", limit: 255 @@ -470,6 +500,20 @@ ActiveRecord::Schema.define(version: 20151003142048) do t.datetime "updated_at", null: false end + create_table "scopes", force: :cascade do |t| + t.string "name", limit: 255 + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + end + + create_table "scopes_tokens", id: false, force: :cascade do |t| + t.integer "scope_id", limit: 4 + t.integer "o_auth_access_token_id", limit: 4 + end + + add_index "scopes_tokens", ["o_auth_access_token_id"], name: "index_scopes_tokens_on_o_auth_access_token_id", using: :btree + add_index "scopes_tokens", ["scope_id"], name: "index_scopes_tokens_on_scope_id", using: :btree + create_table "services", force: :cascade do |t| t.string "type", limit: 127, null: false t.integer "user_id", limit: 4, null: false @@ -540,16 +584,6 @@ ActiveRecord::Schema.define(version: 20151003142048) do add_index "tags", ["name"], name: "index_tags_on_name", unique: true, length: {"name"=>191}, using: :btree - create_table "tokens", force: :cascade do |t| - t.integer "user_id", limit: 4 - t.string "token", limit: 255 - t.datetime "expires_at" - t.datetime "created_at", null: false - t.datetime "updated_at", null: false - end - - add_index "tokens", ["user_id"], name: "index_tokens_on_user_id", using: :btree - create_table "user_preferences", force: :cascade do |t| t.string "email_type", limit: 255 t.integer "user_id", limit: 4 diff --git a/lib/account_deleter.rb b/lib/account_deleter.rb index 6018657cf..63d17fae5 100644 --- a/lib/account_deleter.rb +++ b/lib/account_deleter.rb @@ -47,15 +47,16 @@ class AccountDeleter #user deletions def normal_ar_user_associates_to_delete %i(tag_followings invitations_to_me services aspects user_preferences - notifications blocks authorizations o_auth_applications tokens) + notifications blocks authorizations o_auth_applications o_auth_access_tokens) end def special_ar_user_associations - [:invitations_from_me, :person, :profile, :contacts, :auto_follow_back_aspect] + %i(invitations_from_me person profile contacts auto_follow_back_aspect) end def ignored_ar_user_associations - [:followed_tags, :invited_by, :contact_people, :aspect_memberships, :ignored_people, :conversation_visibilities, :conversations, :reports] + %i(followed_tags invited_by contact_people aspect_memberships + ignored_people conversation_visibilities conversations reports) end def delete_standard_user_associations diff --git a/lib/openid_connect/authorization/endpoint.rb b/lib/openid_connect/endpoints/endpoint.rb similarity index 77% rename from lib/openid_connect/authorization/endpoint.rb rename to lib/openid_connect/endpoints/endpoint.rb index 0d1adc5b1..8bd813102 100644 --- a/lib/openid_connect/authorization/endpoint.rb +++ b/lib/openid_connect/endpoints/endpoint.rb @@ -1,5 +1,5 @@ module OpenidConnect - module Authorization + module Endpoints class Endpoint attr_accessor :app, :user, :client, :redirect_uri, :response_type, :scopes, :_request_, :request_uri, :request_object @@ -9,7 +9,8 @@ module OpenidConnect @user = current_user @app = Rack::OAuth2::Server::Authorize.new do |req, res| build_attributes(req, res) - if OAuthApplication.available_response_types.include? Array(req.response_type).map(&:to_s).join(" ") + if OpenidConnect::OAuthApplication.available_response_types.include?( + Array(req.response_type).map(&:to_s).join(" ")) handle_response_type(req, res) else req.unsupported_response_type! @@ -29,7 +30,7 @@ module OpenidConnect private def build_client(req) - @client = OAuthApplication.find_by_client_id(req.client_id) || req.bad_request! + @client = OpenidConnect::OAuthApplication.find_by_client_id(req.client_id) || req.bad_request! end def build_redirect_uri(req, res) diff --git a/lib/openid_connect/authorization/endpoint_confirmation_point.rb b/lib/openid_connect/endpoints/endpoint_confirmation_point.rb similarity index 97% rename from lib/openid_connect/authorization/endpoint_confirmation_point.rb rename to lib/openid_connect/endpoints/endpoint_confirmation_point.rb index 1e8a61423..fcb666aec 100644 --- a/lib/openid_connect/authorization/endpoint_confirmation_point.rb +++ b/lib/openid_connect/endpoints/endpoint_confirmation_point.rb @@ -1,5 +1,5 @@ module OpenidConnect - module Authorization + module Endpoints class EndpointConfirmationPoint < Endpoint def initialize(current_user, approved=false) super(current_user) diff --git a/lib/openid_connect/authorization/endpoint_start_point.rb b/lib/openid_connect/endpoints/endpoint_start_point.rb similarity index 89% rename from lib/openid_connect/authorization/endpoint_start_point.rb rename to lib/openid_connect/endpoints/endpoint_start_point.rb index 5d44e7dc5..51f1786c4 100644 --- a/lib/openid_connect/authorization/endpoint_start_point.rb +++ b/lib/openid_connect/endpoints/endpoint_start_point.rb @@ -1,5 +1,5 @@ module OpenidConnect - module Authorization + module Endpoints class EndpointStartPoint < Endpoint def initialize(current_user) super(current_user) @@ -24,7 +24,7 @@ module OpenidConnect def build_scopes(req) @scopes = req.scope.map {|scope| - Scope.where(name: scope).first.tap do |scope| + OpenidConnect::Scope.where(name: scope).first.tap do |scope| req.invalid_scope! "Unknown scope: #{scope}" unless scope end } diff --git a/lib/openid_connect/token_endpoint.rb b/lib/openid_connect/token_endpoint.rb index 197d9021c..4714ad481 100644 --- a/lib/openid_connect/token_endpoint.rb +++ b/lib/openid_connect/token_endpoint.rb @@ -29,7 +29,8 @@ module OpenidConnect user = User.find_for_database_authentication(username: req.username) if user if user.valid_password?(req.password) - res.access_token = token! user + auth = OpenidConnect::Authorization.find_or_create(req.client_id, user) + res.access_token = auth.create_token else req.invalid_grant! end @@ -39,24 +40,21 @@ module OpenidConnect end def handle_refresh_flow(req, res) - user = OAuthApplication.find_by_client_id(req.client_id).user - if RefreshToken.valid?(req.refresh_token) - res.access_token = token! user + auth = OpenidConnect::Authorization.find_by_client_id req.client_id + if OpenidConnect::Authorization.valid? req.refresh_token + res.access_token = auth.create_token else req.invalid_grant! end end def retrieve_client(req) - OAuthApplication.find_by_client_id req.client_id + OpenidConnect::OAuthApplication.find_by client_id: req.client_id end def app_valid?(o_auth_app, req) o_auth_app.client_secret == req.client_secret end - def token!(user) - user.tokens.create!.bearer_token - end end end diff --git a/spec/controllers/openid_connect/authorizations_controller_spec.rb b/spec/controllers/openid_connect/authorizations_controller_spec.rb index 974e0620b..6bfe7d3da 100644 --- a/spec/controllers/openid_connect/authorizations_controller_spec.rb +++ b/spec/controllers/openid_connect/authorizations_controller_spec.rb @@ -1,16 +1,16 @@ require "spec_helper" describe OpenidConnect::AuthorizationsController, type: :controller do - let!(:client) { OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) } + let!(:client) { OpenidConnect::OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) } let!(:client_with_multiple_redirects) do - OAuthApplication.create!( + OpenidConnect::OAuthApplication.create!( name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/", "http://localhost/"]) end before do sign_in :user, alice allow(@controller).to receive(:current_user).and_return(alice) - Scope.create!(name: "openid") + OpenidConnect::Scope.create!(name: "openid") end describe "#new" do diff --git a/spec/lib/openid_connect/protected_resource_endpoint_spec.rb b/spec/lib/openid_connect/protected_resource_endpoint_spec.rb index 247df0661..11df9e303 100644 --- a/spec/lib/openid_connect/protected_resource_endpoint_spec.rb +++ b/spec/lib/openid_connect/protected_resource_endpoint_spec.rb @@ -2,7 +2,11 @@ require "spec_helper" describe OpenidConnect::ProtectedResourceEndpoint, type: :request do describe "getting the user info" do - let!(:token) { bob.tokens.create!.bearer_token.to_s } + let!(:client) do + OpenidConnect::OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) + end + let(:auth) { OpenidConnect::Authorization.find_or_create(client.client_id, bob) } + let!(:token) { auth.create_token.to_s } let(:invalid_token) { SecureRandom.hex(32).to_s } # TODO: Add tests for expired access tokens diff --git a/spec/lib/openid_connect/token_endpoint_spec.rb b/spec/lib/openid_connect/token_endpoint_spec.rb index b0d36aafe..1b60704b5 100644 --- a/spec/lib/openid_connect/token_endpoint_spec.rb +++ b/spec/lib/openid_connect/token_endpoint_spec.rb @@ -1,7 +1,7 @@ require "spec_helper" describe OpenidConnect::TokenEndpoint, type: :request do - let!(:client) { OAuthApplication.create!(redirect_uris: ["http://localhost"]) } + let!(:client) { OpenidConnect::OAuthApplication.create!(redirect_uris: ["http://localhost"]) } describe "the password grant type" do context "when the username field is missing" do it "should return an invalid request error" do