diff --git a/app/controllers/openid_connect/authorizations_controller.rb b/app/controllers/openid_connect/authorizations_controller.rb index febf6247a..0cf7faeb4 100644 --- a/app/controllers/openid_connect/authorizations_controller.rb +++ b/app/controllers/openid_connect/authorizations_controller.rb @@ -1,7 +1,7 @@ class OpenidConnect::AuthorizationsController < ApplicationController rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e| - logger.info e.backtrace[0,10].join("\n") - render json: { error: e.message || :error, status: e.status } + logger.info e.backtrace[0, 10].join("\n") + render json: {error: e.message || :error, status: e.status} end before_action :authenticate_user! @@ -44,8 +44,12 @@ class OpenidConnect::AuthorizationsController < ApplicationController end def save_request_parameters - session[:client_id], session[:response_type], session[:redirect_uri], session[:scopes], session[:request_object], session[:nonce] = - @o_auth_application.client_id, @response_type, @redirect_uri, @scopes.map(&:name), @request_object, params[:nonce] + session[:client_id] = @o_auth_application.client_id + session[:response_type] = @response_type + session[:redirect_uri] = @redirect_uri + session[:scopes] = @scopes.map(&:name) + session[:request_object] = @request_object + session[:nonce] = params[:nonce] end def process_authorization_consent(approvedString) diff --git a/app/controllers/openid_connect/discovery_controller.rb b/app/controllers/openid_connect/discovery_controller.rb index d2b6745f1..a11207b8d 100644 --- a/app/controllers/openid_connect/discovery_controller.rb +++ b/app/controllers/openid_connect/discovery_controller.rb @@ -1,30 +1,30 @@ class OpenidConnect::DiscoveryController < ApplicationController def webfinger jrd = { - links: [{ - rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE, - href: File.join(root_url, "openid_connect") - }] - } + links: [{ + rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE, + href: File.join(root_url, "openid_connect") + }] + } jrd[:subject] = params[:resource] if params[:resource].present? render json: jrd, content_type: "application/jrd+json" end def configuration render json: OpenIDConnect::Discovery::Provider::Config::Response.new( - issuer: root_url, - registration_endpoint: openid_connect_clients_url, - authorization_endpoint: new_openid_connect_authorization_url, - token_endpoint: openid_connect_access_tokens_url, - userinfo_endpoint: api_v0_user_url, - jwks_uri: File.join(root_url, "openid_connect", "jwks.json"), - scopes_supported: Scope.pluck(:name), - response_types_supported: OAuthApplication.available_response_types, - request_object_signing_alg_values_supported: %i(HS256 HS384 HS512), - subject_types_supported: %w(public pairwise), - id_token_signing_alg_values_supported: %i(RS256), - token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post), - # TODO: claims_supported: ["sub", "iss", "name", "email"] - ) + issuer: root_url, + registration_endpoint: openid_connect_clients_url, + authorization_endpoint: new_openid_connect_authorization_url, + token_endpoint: openid_connect_access_tokens_url, + userinfo_endpoint: api_v0_user_url, + jwks_uri: File.join(root_url, "openid_connect", "jwks.json"), + scopes_supported: Scope.pluck(:name), + response_types_supported: OAuthApplication.available_response_types, + request_object_signing_alg_values_supported: %i(HS256 HS384 HS512), + subject_types_supported: %w(public pairwise), + id_token_signing_alg_values_supported: %i(RS256), + token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post), + # TODO: claims_supported: ["sub", "iss", "name", "email"] + ) end end diff --git a/app/models/openid_connect/id_token.rb b/app/models/openid_connect/id_token.rb index 1f48e3e16..cd8c4d9c3 100644 --- a/app/models/openid_connect/id_token.rb +++ b/app/models/openid_connect/id_token.rb @@ -9,20 +9,20 @@ class OpenidConnect::IdToken < ActiveRecord::Base self.expires_at = 30.minutes.from_now end - def to_jwt(options = {}) + def to_jwt(options={}) to_response_object(options).to_jwt OpenidConnect::IdTokenConfig.private_key end - def to_response_object(options = {}) + def to_response_object(options={}) claims = { - iss: AppConfig.environment.url, - sub: AppConfig.environment.url + authorization.o_auth_application.client_id.to_s + authorization.user.id.to_s, # TODO: Convert to proper PPID - aud: authorization.o_auth_application.client_id, - exp: expires_at.to_i, - iat: created_at.to_i, + iss: AppConfig.environment.url, + sub: AppConfig.environment.url + authorization.o_auth_application.client_id.to_s + authorization.user.id.to_s, # TODO: Convert to proper PPID + aud: authorization.o_auth_application.client_id, + exp: expires_at.to_i, + iat: created_at.to_i, auth_time: authorization.user.current_sign_in_at.to_i, - nonce: nonce, - acr: 0 # TODO: Adjust ? + nonce: nonce, + acr: 0 # TODO: Adjust ? } id_token = OpenIDConnect::ResponseObject::IdToken.new(claims) id_token.code = options[:code] if options[:code] diff --git a/app/models/openid_connect/o_auth_access_token.rb b/app/models/openid_connect/o_auth_access_token.rb index 04f423f4d..cc72dc3d9 100644 --- a/app/models/openid_connect/o_auth_access_token.rb +++ b/app/models/openid_connect/o_auth_access_token.rb @@ -17,7 +17,7 @@ class OpenidConnect::OAuthAccessToken < ActiveRecord::Base def bearer_token @bearer_token ||= Rack::OAuth2::AccessToken::Bearer.new( access_token: token, - expires_in: (expires_at - Time.now.utc).to_i + expires_in: (expires_at - Time.now.utc).to_i ) end diff --git a/app/models/user.rb b/app/models/user.rb index 3766456bc..c77a75e1c 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -605,10 +605,10 @@ class User < ActiveRecord::Base private def clearable_fields - self.attributes.keys - %w(id username encrypted_password created_at updated_at locked_at - serialized_private_key getting_started - disable_mail show_community_spotlight_in_stream - strip_exif email remove_after export exporting exported_at - exported_photos_file exporting_photos exported_photos_at) + attributes.keys - %w(id username encrypted_password created_at updated_at locked_at + serialized_private_key getting_started + disable_mail show_community_spotlight_in_stream + strip_exif email remove_after export exporting exported_at + exported_photos_file exporting_photos exported_photos_at) end end diff --git a/features/step_definitions/implicit_flow_steps.rb b/features/step_definitions/implicit_flow_steps.rb index 2ea9fdfa0..cc0f63e34 100644 --- a/features/step_definitions/implicit_flow_steps.rb +++ b/features/step_definitions/implicit_flow_steps.rb @@ -1,3 +1,11 @@ +o_auth_query_params = %i( + redirect_uri=http://localhost:3000 + response_type=id_token token + scope=openid + nonce=hello + state=hi +).join("&") + Given(/^the OpenID scope exists$/) do OpenidConnect::Scope.create(name: "openid") end @@ -5,14 +13,12 @@ end Given /^I send a post request from that client to the implicit flow authorization endpoint$/ do client_json = JSON.parse(last_response.body) auth_endpoint_url = "/openid_connect/authorizations/new" - visit auth_endpoint_url + "?client_id=" + client_json["o_auth_application"]["client_id"] + "&redirect_uri=" + "http://localhost:3000" + - "&response_type=id_token token" + "&scope=openid" + "&nonce=hello" + "&state=hi" + visit "#{auth_endpoint_url}?client_id=#{client_json["o_auth_application"]["client_id"]}&#{o_auth_query_params}" end Given /^I send a post request from that client to the implicit flow authorization endpoint using a invalid client id/ do auth_endpoint_url = "/openid_connect/authorizations/new" - visit auth_endpoint_url + "?client_id=randomid" + "&redirect_uri=" + "http://localhost:3000" + - "&response_type=id_token token" + "&scope=openid" + "&nonce=hello" + "&state=hi" + visit "#{auth_endpoint_url}?client_id=randomid&#{o_auth_query_params}" end When /^I give my consent and authorize the client$/ do diff --git a/lib/openid_connect/authorization_point/endpoint.rb b/lib/openid_connect/authorization_point/endpoint.rb index 9d31c4957..839bed9c7 100644 --- a/lib/openid_connect/authorization_point/endpoint.rb +++ b/lib/openid_connect/authorization_point/endpoint.rb @@ -24,7 +24,7 @@ module OpenidConnect build_scopes(req) end - def handle_response_type(req, res) + def handle_response_type(_req, _res) # Implemented by subclass end diff --git a/lib/openid_connect/authorization_point/endpoint_start_point.rb b/lib/openid_connect/authorization_point/endpoint_start_point.rb index 94fa20770..3af4274e7 100644 --- a/lib/openid_connect/authorization_point/endpoint_start_point.rb +++ b/lib/openid_connect/authorization_point/endpoint_start_point.rb @@ -1,7 +1,7 @@ module OpenidConnect module AuthorizationPoint class EndpointStartPoint < Endpoint - def handle_response_type(req, res) + def handle_response_type(req, _res) @response_type = req.response_type end diff --git a/spec/controllers/openid_connect/authorizations_controller_spec.rb b/spec/controllers/openid_connect/authorizations_controller_spec.rb index 1c8e3655b..706bff247 100644 --- a/spec/controllers/openid_connect/authorizations_controller_spec.rb +++ b/spec/controllers/openid_connect/authorizations_controller_spec.rb @@ -1,7 +1,9 @@ require "spec_helper" describe OpenidConnect::AuthorizationsController, type: :controller do - let!(:client) { OpenidConnect::OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) } + let!(:client) do + OpenidConnect::OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) + end let!(:client_with_multiple_redirects) do OpenidConnect::OAuthApplication.create!( name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/", "http://localhost/"]) @@ -102,7 +104,8 @@ describe OpenidConnect::AuthorizationsController, type: :controller do it "should return the id token in a fragment" do expect(response.location).to have_content("id_token=") encoded_id_token = response.location[/(?<=id_token=)[^&]+/] - decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, OpenidConnect::IdTokenConfig.public_key + decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, + OpenidConnect::IdTokenConfig.public_key expect(decoded_token.nonce).to eq("4130930983") expect(decoded_token.exp).to be > Time.now.utc.to_i end @@ -115,7 +118,6 @@ describe OpenidConnect::AuthorizationsController, type: :controller do end describe "#create" do - context "when id_token token" do before do get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token token", @@ -129,14 +131,16 @@ describe OpenidConnect::AuthorizationsController, type: :controller do it "should return the id token in a fragment" do encoded_id_token = response.location[/(?<=id_token=)[^&]+/] - decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, OpenidConnect::IdTokenConfig.public_key + decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, + OpenidConnect::IdTokenConfig.public_key expect(decoded_token.nonce).to eq("4180930983") expect(decoded_token.exp).to be > Time.now.utc.to_i end it "should return a valid access token in a fragment" do encoded_id_token = response.location[/(?<=id_token=)[^&]+/] - decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, OpenidConnect::IdTokenConfig.public_key + decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, + OpenidConnect::IdTokenConfig.public_key access_token = response.location[/(?<=access_token=)[^&]+/] access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8]) expect(decoded_token.at_hash).to eq(access_token_check_num) @@ -158,7 +162,8 @@ describe OpenidConnect::AuthorizationsController, type: :controller do it "should return the id token in a fragment" do expect(response.location).to have_content("id_token=") encoded_id_token = response.location[/(?<=id_token=)[^&]+/] - decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, OpenidConnect::IdTokenConfig.public_key + decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token, + OpenidConnect::IdTokenConfig.public_key expect(decoded_token.nonce).to eq("4180930983") expect(decoded_token.exp).to be > Time.now.utc.to_i end @@ -182,6 +187,5 @@ describe OpenidConnect::AuthorizationsController, type: :controller do end end end - end end diff --git a/spec/controllers/openid_connect/id_tokens_controller_spec.rb b/spec/controllers/openid_connect/id_tokens_controller_spec.rb index 6739a3561..1e9e3548b 100644 --- a/spec/controllers/openid_connect/id_tokens_controller_spec.rb +++ b/spec/controllers/openid_connect/id_tokens_controller_spec.rb @@ -9,7 +9,7 @@ describe OpenidConnect::IdTokensController, type: :controller do it "should contain a public key that matches the internal private key" do json = JSON.parse(response.body).with_indifferent_access jwks = JSON::JWK::Set.new json[:keys] - public_keys = jwks.collect do |jwk| + public_keys = jwks.map do |jwk| JSON::JWK.decode jwk end public_key = public_keys.first