Use redirect_uri if no sector identifier for ppid

As according to http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg: "If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri."
2015-09-24 21:46:16 -07:00 · 2015-09-24 21:46:16 -07:00 · a76f51a6a5
commit a76f51a6a5
parent 4e18f3849d
9 changed files with 27 additions and 22 deletions
--- a/app/controllers/api/openid_connect/user_info_controller.rb
+++ b/app/controllers/api/openid_connect/user_info_controller.rb
@ -4,7 +4,7 @@ module Api
      include Api::OpenidConnect::ProtectedResourceEndpoint

      before_action do
-        require_access_token ["openid"]
+        require_access_token %w(openid)
      end

      def show
--- a/app/models/api/openid_connect/id_token.rb
+++ b/app/models/api/openid_connect/id_token.rb
@ -1,3 +1,5 @@
+require "uri"
+
 module Api
  module OpenidConnect
    class IdToken < ActiveRecord::Base
@ -36,14 +38,7 @@ module Api
      end

      def build_sub
-        if authorization.o_auth_application.ppid?
-          sector_identifier = authorization.o_auth_application.sector_identifier_uri
-          pairwise_pseudonymous_identifier =
-            authorization.user.pairwise_pseudonymous_identifiers.find_or_create_by(sector_identifier: sector_identifier)
-          pairwise_pseudonymous_identifier.guid
-        else
-          authorization.user.diaspora_handle
-        end
+        Api::OpenidConnect::SubjectIdentifierCreator.createSub(authorization)
      end
    end
  end
--- a/app/models/api/openid_connect/pairwise_pseudonymous_identifier.rb
+++ b/app/models/api/openid_connect/pairwise_pseudonymous_identifier.rb
@ -7,7 +7,7 @@ module Api
      belongs_to :user

      validates :user, presence: true
-      validates :sector_identifier, presence: true, uniqueness: {scope: :user}
+      validates :identifier, presence: true, uniqueness: {scope: :user}
      validates :guid, presence: true, uniqueness: true

      before_validation :setup, on: :create
--- a/app/serializers/user_info_serializer.rb
+++ b/app/serializers/user_info_serializer.rb
@ -3,14 +3,7 @@ class UserInfoSerializer < ActiveModel::Serializer

  def sub
    auth = serialization_options[:authorization]
-    if auth.o_auth_application.ppid?
-      sector_identifier = auth.o_auth_application.sector_identifier_uri
-      pairwise_pseudonymous_identifier =
-        object.pairwise_pseudonymous_identifiers.find_or_create_by(sector_identifier: sector_identifier)
-      pairwise_pseudonymous_identifier.guid
-    else
-      object.diaspora_handle
-    end
+    Api::OpenidConnect::SubjectIdentifierCreator.createSub(auth)
  end

  def nickname
--- a/db/migrate/20150731123113_create_pairwise_pseudonymous_identifiers.rb
+++ b/db/migrate/20150731123113_create_pairwise_pseudonymous_identifiers.rb
@ -5,7 +5,7 @@ class CreatePairwisePseudonymousIdentifiers < ActiveRecord::Migration
      t.belongs_to :user, index: true

      t.string :guid, :string, limit: 32
-      t.string :sector_identifier
+      t.string :identifier
    end
    add_foreign_key :ppid, :o_auth_applications
    add_foreign_key :ppid, :users
--- a/db/schema.rb
+++ b/db/schema.rb
@ -466,7 +466,7 @@ ActiveRecord::Schema.define(version: 20150828132451) do
    t.integer "user_id",               limit: 4
    t.string  "guid",                  limit: 32
    t.string  "string",                limit: 32
-    t.string  "sector_identifier",     limit: 255
+    t.string  "identifier",            limit: 255
  end

  add_index "ppid", ["o_auth_application_id"], name: "index_ppid_on_o_auth_application_id", using: :btree
--- a/lib/api/openid_connect/subject_identifier_creator.rb
+++ b/lib/api/openid_connect/subject_identifier_creator.rb
@ -0,0 +1,17 @@
+module Api
+  module OpenidConnect
+    class SubjectIdentifierCreator
+      def self.createSub(auth)
+        if auth.o_auth_application.ppid?
+          identifier = auth.o_auth_application.sector_identifier_uri ||
+            URI.parse(auth.o_auth_application.redirect_uris[0]).host
+          pairwise_pseudonymous_identifier =
+            auth.user.pairwise_pseudonymous_identifiers.find_or_create_by(identifier: identifier)
+          pairwise_pseudonymous_identifier.guid
+        else
+          auth.user.diaspora_handle
+        end
+      end
+    end
+  end
+end
--- a/spec/integration/api/user_info_controller_spec.rb
+++ b/spec/integration/api/user_info_controller_spec.rb
@ -12,7 +12,7 @@ describe Api::OpenidConnect::UserInfoController do
    it "shows the info" do
      json_body = JSON.parse(response.body)
      expected_sub =
-        @user.pairwise_pseudonymous_identifiers.find_or_create_by(sector_identifier: "https://example.com/uri").guid
+        @user.pairwise_pseudonymous_identifiers.find_or_create_by(identifier: "https://example.com/uri").guid
      expect(json_body["sub"]).to eq(expected_sub)
      expect(json_body["nickname"]).to eq(@user.name)
      expect(json_body["profile"]).to eq(File.join(AppConfig.environment.url, "people", @user.guid).to_s)
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@ -21,7 +21,7 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
        encoded_id_token = json["id_token"]
        decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                      Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
-        expected_guid = bob.pairwise_pseudonymous_identifiers.find_by(sector_identifier: "https://example.com/uri").guid
+        expected_guid = bob.pairwise_pseudonymous_identifiers.find_by(identifier: "https://example.com/uri").guid
        expect(decoded_token.sub).to eq(expected_guid)
        expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
      end