Adjust tokens to fit revised Authorization

2015-07-15 23:35:48 +09:00 · 2015-07-15 23:35:48 +09:00 · 2d762da072
commit 2d762da072
parent 17fde49d61
16 changed files with 198 additions and 166 deletions
--- a/app/controllers/api/v0/base_controller.rb
+++ b/app/controllers/api/v0/base_controller.rb
@ -3,7 +3,4 @@ class Api::V0::BaseController < ApplicationController
  before_filter :require_access_token
  def authorization
    current_token.authorization
  end
 end
--- a/app/controllers/api/v0/users_controller.rb
+++ b/app/controllers/api/v0/users_controller.rb
@ -6,6 +6,6 @@ class Api::V0::UsersController < Api::V0::BaseController
  private
  def user
-    authorization.user
+    current_token.authorization.user
  end
 end
--- a/app/controllers/openid_connect/authorizations_controller.rb
+++ b/app/controllers/openid_connect/authorizations_controller.rb
@ -11,31 +11,31 @@ class OpenidConnect::AuthorizationsController < ApplicationController
  end
  def create
    restore_request_parameters
    process_authorization_consent(params[:approve])
  end
  private
-  def request_authorization_consent_form
+  def request_authorization_consent_form # TODO: Add support for prompt params
-    endpoint = OpenidConnect::Authorization::EndpointStartPoint.new(current_user)
+    if OpenidConnect::Authorization.find_by_client_id_and_user(params[:client_id], current_user)
-    handle_startpoint_response(endpoint)
+      process_authorization_consent("true")
    else
      endpoint = OpenidConnect::AuthorizationPoint::EndpointStartPoint.new(current_user)
      handle_start_point_response(endpoint)
    end
  end
-  def handle_startpoint_response(endpoint)
+  def handle_start_point_response(endpoint)
    _status, header, response = *endpoint.call(request.env)
    if response.redirect?
      redirect_to header["Location"]
    else
-      saveParamsAndRenderConsentForm(endpoint)
+      save_params_and_render_consent_form(endpoint)
    end
  end
-  def process_authorization_consent(approvedString)
+  def save_params_and_render_consent_form(endpoint)
    endpoint = OpenidConnect::Authorization::EndpointConfirmationPoint.new(current_user, to_boolean(approvedString))
    handle_confirmation_endpoint_response(endpoint)
  end
  def saveParamsAndRenderConsentForm(endpoint)
    @o_auth_application, @response_type, @redirect_uri, @scopes, @request_object = *[
      endpoint.o_auth_application, endpoint.response_type, endpoint.redirect_uri, endpoint.scopes, endpoint.request_object
    ]
@ -43,22 +43,22 @@ class OpenidConnect::AuthorizationsController < ApplicationController
    render :new
  end
  def save_request_parameters
    session[:client_id], session[:response_type], session[:redirect_uri], session[:scopes], session[:request_object], session[:nonce] =
      @o_auth_application.client_id, @response_type, @redirect_uri, @scopes.map(&:name), @request_object, params[:nonce]
  end
  def process_authorization_consent(approvedString)
    endpoint = OpenidConnect::AuthorizationPoint::EndpointConfirmationPoint.new(current_user, to_boolean(approvedString))
    handle_confirmation_endpoint_response(endpoint)
  end
  def handle_confirmation_endpoint_response(endpoint)
    restore_request_parameters(endpoint)
    _status, header, _response = *endpoint.call(request.env)
    delete_authorization_session_variables
    redirect_to header["Location"]
  end
  def restore_request_parameters(endpoint)
    req = Rack::Request.new(request.env)
    req.update_param("client_id", session[:client_id])
    req.update_param("redirect_uri", session[:redirect_uri])
    req.update_param("response_type", session[:response_type])
    endpoint.scopes, endpoint.request_object, endpoint.nonce =
      session[:scopes].map {|scope| Scope.find_by_name(scope) }, session[:request_object], session[:nonce]
  end
  def delete_authorization_session_variables
    session.delete(:client_id)
    session.delete(:response_type)
@ -68,12 +68,17 @@ class OpenidConnect::AuthorizationsController < ApplicationController
    session.delete(:nonce)
  end
  def save_request_parameters
    session[:client_id], session[:response_type], session[:redirect_uri], session[:scopes], session[:request_object], session[:nonce] =
      @o_auth_application.client_id, @response_type, @redirect_uri, @scopes.map(&:name), @request_object, params[:nonce]
  end
  def to_boolean(str)
    str.downcase == "true"
  end
  def restore_request_parameters
    req = Rack::Request.new(request.env)
    req.update_param("client_id", session[:client_id])
    req.update_param("redirect_uri", session[:redirect_uri])
    req.update_param("response_type", session[:response_type])
    req.update_param("scopes", session[:scopes])
    req.update_param("request_object", session[:request_object])
    req.update_param("nonce", session[:nonce])
  end
 end
--- a/app/models/openid_connect/authorization.rb
+++ b/app/models/openid_connect/authorization.rb
@ -2,37 +2,35 @@ class OpenidConnect::Authorization < ActiveRecord::Base
  belongs_to :user
  belongs_to :o_auth_application
  has_many :scopes, through: :authorization_scopes
  has_many :o_auth_access_tokens
  before_validation :setup, on: :create
  validates :refresh_token, presence: true, uniqueness: true
  validates :user, presence: true, uniqueness: true
  validates :o_auth_application, presence: true, uniqueness: true
-  def setup
+  has_many :scopes, through: :authorization_scopes
  has_many :o_auth_access_tokens, dependent: :destroy
  has_many :id_tokens
  def generate_refresh_token
    self.refresh_token = SecureRandom.hex(32)
  end
  def create_access_token
-    OpenidConnect::OAuthAccessToken.create!(authorization: self).bearer_token
+    o_auth_access_tokens.create!.bearer_token
  end
-  # TODO: Actually call this method from token endpoint
+  def self.find_by_client_id_and_user(client_id, user)
-  def regenerate_refresh_token
+    app = OpenidConnect::OAuthApplication.find_by(client_id: client_id)
-    self.refresh_token = SecureRandom.hex(32)
+    find_by(o_auth_application: app, user: user)
  end
-  def self.find_by_client_id_and_user(app, user)
+  def self.find_by_app_and_user(app, user)
    find_by(o_auth_application: app, user: user)
  end
  # TODO: Handle creation error
  def self.find_or_create(client_id, user)
    app = OpenidConnect::OAuthApplication.find_by(client_id: client_id)
-    find_by_client_id_and_user(app, user) || create!(user: user, o_auth_application: app)
+    find_by_app_and_user(app, user) || create!(user: user, o_auth_application: app)
  end
-  # TODO: Incomplete class
+  # TODO: Consider splitting into subclasses by flow type
 end
--- a/app/models/openid_connect/id_token.rb
+++ b/app/models/openid_connect/id_token.rb
@ -1,12 +1,8 @@
-class IdToken < ActiveRecord::Base
+class OpenidConnect::IdToken < ActiveRecord::Base
-  belongs_to :user
+  belongs_to :authorization
  belongs_to :o_auth_application
  before_validation :setup, on: :create
  validates :user, presence: true
  validates :o_auth_application, presence: true
  default_scope -> { where("expires_at >= ?", Time.now.utc) }
  def setup
@ -20,11 +16,11 @@ class IdToken < ActiveRecord::Base
  def to_response_object(options = {})
    claims = {
      iss: AppConfig.environment.url,
-      sub: AppConfig.environment.url + o_auth_application.client_id.to_s + user.id.to_s, # TODO: Convert to proper PPID
+      sub: AppConfig.environment.url + authorization.o_auth_application.client_id.to_s + authorization.user.id.to_s, # TODO: Convert to proper PPID
-      aud: o_auth_application.client_id,
+      aud: authorization.o_auth_application.client_id,
      exp: expires_at.to_i,
      iat: created_at.to_i,
-      auth_time: user.current_sign_in_at.to_i,
+      auth_time: authorization.user.current_sign_in_at.to_i,
      nonce: nonce,
      acr: 0 # TODO: Adjust ?
    }
--- a/app/models/openid_connect/o_auth_access_token.rb
+++ b/app/models/openid_connect/o_auth_access_token.rb
@ -1,5 +1,5 @@
 class OpenidConnect::OAuthAccessToken < ActiveRecord::Base
-  belongs_to :authorization, dependent: :delete
+  belongs_to :authorization
  has_many :scopes, through: :scope_tokens
  before_validation :setup, on: :create
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -79,7 +79,6 @@ class User < ActiveRecord::Base
  has_many :authorizations, class_name: "OpenidConnect::Authorization"
  has_many :o_auth_applications, through: :authorizations, class_name: "OpenidConnect::OAuthApplication"
  has_many :o_auth_access_tokens, through: :authorizations, class_name: "OpenidConnect::OAuthAccessToken"
  has_many :id_tokens, class_name: "OpenidConnect::IdToken"
  before_save :guard_unconfirmed_email,
              :save_person!
--- a/db/migrate/20150714055110_create_id_tokens.rb
+++ b/db/migrate/20150714055110_create_id_tokens.rb
@ -1,8 +1,7 @@
 class CreateIdTokens < ActiveRecord::Migration
  def change
    create_table :id_tokens do |t|
-      t.belongs_to :user, index: true
+      t.belongs_to :authorization, index: true
      t.belongs_to :o_auth_application, index: true
      t.datetime :expires_at
      t.string :nonce
--- a/db/schema.rb
+++ b/db/schema.rb
@ -157,16 +157,14 @@ ActiveRecord::Schema.define(version: 20150714055110) do
  add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree
  create_table "id_tokens", force: :cascade do |t|
-    t.integer  "user_id",               limit: 4
+    t.integer  "authorization_id", limit: 4
    t.integer  "o_auth_application_id", limit: 4
    t.datetime "expires_at"
    t.string   "nonce",            limit: 255
    t.datetime "created_at",                   null: false
    t.datetime "updated_at",                   null: false
  end
-  add_index "id_tokens", ["o_auth_application_id"], name: "index_id_tokens_on_o_auth_application_id", using: :btree
+  add_index "id_tokens", ["authorization_id"], name: "index_id_tokens_on_authorization_id", using: :btree
  add_index "id_tokens", ["user_id"], name: "index_id_tokens_on_user_id", using: :btree
  create_table "invitation_codes", force: :cascade do |t|
    t.string   "token",      limit: 255
--- a/lib/openid_connect/authorization_point/endpoint.rb
+++ b/lib/openid_connect/authorization_point/endpoint.rb
@ -1,5 +1,5 @@
 module OpenidConnect
-  module Authorization
+  module AuthorizationPoint
    class Endpoint
      attr_accessor :app, :user, :o_auth_application, :redirect_uri, :response_type,
                    :scopes, :_request_, :request_uri, :request_object, :nonce
@ -20,6 +20,8 @@ module OpenidConnect
      def build_attributes(req, res)
        build_client(req)
        build_redirect_uri(req, res)
        verify_nonce(req, res)
        build_scopes(req)
      end
      def handle_response_type(req, res)
@ -35,6 +37,22 @@ module OpenidConnect
      def build_redirect_uri(req, res)
        res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@o_auth_application.redirect_uris)
      end
      def verify_nonce(req, res)
        if res.protocol_params_location == :fragment && req.nonce.blank?
          req.invalid_request! "nonce required"
        end
      end
      def build_scopes(req)
        @scopes = req.scope.map {|scope|
          OpenidConnect::Scope.where(name: scope).first.tap do |scope|
            req.invalid_scope! "Unknown scope: #{scope}" unless scope
          end
        }
      end
      # TODO: buildResponseType(req)
    end
  end
 end
--- a/lib/openid_connect/authorization_point/endpoint_confirmation_point.rb
+++ b/lib/openid_connect/authorization_point/endpoint_confirmation_point.rb
@ -1,16 +1,11 @@
 module OpenidConnect
-  module Endpoints
+  module AuthorizationPoint
    class EndpointConfirmationPoint < Endpoint
      def initialize(current_user, approved=false)
        super(current_user)
        @approved = approved
      end
      def build_attributes(req, res)
        super(req, res)
        # TODO: buildResponseType(req)
      end
      def handle_response_type(req, res)
        handle_approval(@approved, req, res)
      end
@ -24,9 +19,10 @@ module OpenidConnect
      end
      def approved!(req, res)
        auth = OpenidConnect::Authorization.find_or_create(req.client_id, @user)
        response_types = Array(req.response_type)
        if response_types.include?(:id_token)
-          id_token = @user.id_tokens.create!(o_auth_application: o_auth_application, nonce: @nonce)
+          id_token = auth.id_tokens.create!(nonce: req.nonce)
          options = %i(code access_token).map{|option| ["res.#{option}", res.respond_to?(option) ? res.option : nil]}.to_h
          res.id_token = id_token.to_jwt(options)
          # TODO: Add support for request object
--- a/lib/openid_connect/authorization_point/endpoint_start_point.rb
+++ b/lib/openid_connect/authorization_point/endpoint_start_point.rb
@ -0,0 +1,11 @@
 module OpenidConnect
  module AuthorizationPoint
    class EndpointStartPoint < Endpoint
      def handle_response_type(req, res)
        @response_type = req.response_type
      end
      # TODO: buildRequestObject(req)
    end
  end
 end
--- a/lib/openid_connect/endpoints/endpoint_start_point.rb
+++ b/lib/openid_connect/endpoints/endpoint_start_point.rb
@ -1,30 +0,0 @@
 module OpenidConnect
  module Endpoints
    class EndpointStartPoint < Endpoint
      def handle_response_type(req, res)
        @response_type = req.response_type
      end
      def build_attributes(req, res)
        super(req, res)
        verify_nonce(req, res)
        build_scopes(req)
        # TODO: buildRequestObject(req)
      end
      def verify_nonce(req, res)
        if res.protocol_params_location == :fragment && req.nonce.blank?
          req.invalid_request! "nonce required"
        end
      end
      def build_scopes(req)
        @scopes = req.scope.map {|scope|
          OpenidConnect::Scope.where(name: scope).first.tap do |scope|
            req.invalid_scope! "Unknown scope: #{scope}" unless scope
          end
        }
      end
    end
  end
 end
--- a/lib/openid_connect/token_endpoint.rb
+++ b/lib/openid_connect/token_endpoint.rb
@ -55,6 +55,5 @@ module OpenidConnect
    def app_valid?(o_auth_app, req)
      o_auth_app.client_secret == req.client_secret
    end
  end
 end
--- a/spec/controllers/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/openid_connect/authorizations_controller_spec.rb
@ -14,6 +14,7 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
  end
  describe "#new" do
    context "when not yet authorized" do
      context "when valid parameters are passed" do
        render_views
        context "as GET request" do
@ -87,6 +88,29 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
        end
      end
    end
    context "when already authorized" do
      let!(:auth) { OpenidConnect::Authorization.find_or_create(client.client_id, alice) }
      context "when valid parameters are passed" do
        before do
          get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
              scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3
        end
        it "should return the id token in a fragment" do
          expect(response.location).to have_content("id_token=")
          encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
          decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, OpenidConnect::IdTokenConfig.public_key
          expect(decoded_token.nonce).to eq("4130930983")
          expect(decoded_token.exp).to be > Time.now.utc.to_i
        end
        it "should return the passed in state" do
          expect(response.location).to have_content("state=4130930983")
        end
      end
    end
  end
  describe "#create" do
    before do
--- a/spec/lib/openid_connect/protected_resource_endpoint_spec.rb
+++ b/spec/lib/openid_connect/protected_resource_endpoint_spec.rb
@ -35,16 +35,38 @@ describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
    end
    context "when an invalid access token is provided" do
-      it "should respond with a 401 Unauthorized response" do
+      before do
        get "/api/v0/user/", access_token: invalid_token
      end
      it "should respond with a 401 Unauthorized response" do
        expect(response.status).to be(401)
      end
      it "should have an auth-scheme value of Bearer" do
        get "/api/v0/user/", access_token: invalid_token
        expect(response.headers["WWW-Authenticate"]).to include("Bearer")
      end
      it "should contain an invalid_token error" do
        expect(response.body).to include("invalid_token")
      end
    end
    context "when authorization has been destroyed" do
      before do
        auth.destroy
        get "/api/v0/user/", access_token: access_token
      end
      it "should respond with a 401 Unauthorized response" do
        expect(response.status).to be(401)
      end
      it "should have an auth-scheme value of Bearer" do
        expect(response.headers["WWW-Authenticate"]).to include("Bearer")
      end
      it "should contain an invalid_token error" do
        get "/api/v0/user/", access_token: invalid_token
        expect(response.body).to include("invalid_token")
      end
    end