Merge pull request #15 from lessonly/azemoh/ch35118/add-bearer-token-auth-to-scim-rails-gem

Add support for OAuth Bearer Authentication

Merge pull request #15 from lessonly/azemoh/ch35118/add-bearer-token-auth-to-scim-rails-gem
Add support for OAuth Bearer Authentication
Kyle Werner · GitHub
2 parents 2b53a2e1 1d606569
Showing 14 changed files with 215 additions and 9 deletions Show diff stats
Gemfile.lock
README.md
app/controllers/scim_rails/application_controller.rb
lib/generators/scim_rails/templates/initializer.rb
lib/scim_rails.rb
lib/scim_rails/config.rb
lib/scim_rails/encoder.rb
lib/scim_rails/version.rb
scim_rails.gemspec
spec/controllers/scim_rails/scim_users_request_spec.rb
spec/dummy/config/initializers/scim_rails_config.rb
spec/factories/company.rb
spec/lib/scim_rails/encoder_spec.rb
spec/support/scim_rails_config.rb
 PATH
   remote: .
   specs:
-    scim_rails (0.2.1)
+    scim_rails (0.3.0)
+      jwt (~> 2.2)
       rails (>= 5.0, < 6.1)
  
 GEM
@@ -77,6 +78,7 @@ GEM
       activesupport (>= 4.2.0)
     i18n (1.6.0)
       concurrent-ruby (~> 1.0)
+    jwt (2.2.1)
     loofah (2.3.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -175,4 +177,4 @@ RUBY VERSION
    ruby 2.4.4p296
  
 BUNDLED WITH
-   2.0.1
+   2.0.2
@@ -78,6 +78,57 @@ When sending requests to the server the `Content-Type` should be set to `applica
  
 All responses will be sent with a `Content-Type` of `application/scim+json`.
  
+#### Authentication
+
+This gem supports both basic and OAuth bearer authentication.
+
+##### Basic Auth
+###### Username
+The config setting `basic_auth_model_searchable_attribute` is the model attribute used to authenticate as the `username`. It defaults to `:subdomain`.
+
+Ensure it is unique to the model records.
+
+###### Password
+The config setting `basic_auth_model_authenticatable_attribute` is the model attribute used to authenticate as `password`. Defaults to `:api_token`.
+
+Assuming the attribute is `:api_token`, generate the password using:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as password for requests
+company.api_token = token # required
+company.save! # don't forget to persist the company record
+```
+
+This is necessary irrespective of your authentication choice(s) - basic auth, oauth bearer or both.
+
+###### Sample Request
+
+```bash
+$ curl -X GET 'http://username:password@localhost:3000/scim/v2/Users'
+```
+
+##### OAuth Bearer
+
+###### Signing Algorithm
+In the config settings, ensure you set `signing_algorithm` to a valid JWT signing algorithm, e.g "HS256". Defaults to `"none"` when not set.
+
+###### Signing Secret
+In the config settings, ensure you set `signing_secret` to a secret key that will be used to encode and decode tokens. Defaults to `nil` when not set.
+
+If you have already generated the `api_token` in the "Basic Auth" section, then use that as your bearer token and ignore the steps below:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as bearer token for requests
+company.api_token = token #required
+company.save! # don't forget to persist the company record
+```
+
+##### Sample Request
+
+```bash
+$ curl -H 'Authorization: Bearer xxxxxxx.xxxxxx' -X GET 'http://localhost:3000/scim/v2/Users'
+```
+
 ### List
  
 ##### All
@@ -9,14 +9,30 @@ module ScimRails
     private
  
     def authorize_request
-      authenticate_with_http_basic do |username, password|
+      send(authentication_strategy) do |searchable_attribute, authentication_attribute|
         authorization = AuthorizeApiRequest.new(
-          searchable_attribute: username,
-          authentication_attribute: password
+          searchable_attribute: searchable_attribute,
+          authentication_attribute: authentication_attribute
         )
         @company = authorization.company
       end
-      raise  ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+      raise ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+    end
+
+    def authentication_strategy
+      if request.headers["Authorization"]&.include?("Bearer")
+        :authenticate_with_oauth_bearer
+      else
+        :authenticate_with_http_basic
+      end
+    end
+
+    def authenticate_with_oauth_bearer
+      authentication_attribute = request.headers["Authorization"].split(" ").last
+      payload = ScimRails::Encoder.decode(authentication_attribute).with_indifferent_access
+      searchable_attribute = payload[ScimRails.config.basic_auth_model_searchable_attribute]
+
+      yield searchable_attribute, authentication_attribute
     end
   end
 end
@@ -22,6 +22,18 @@ ScimRails.configure do |config|
   # or throws an error (returning 409 Conflict in accordance with SCIM spec)
   config.scim_user_prevent_update_on_create = false
  
+  # Cryptographic algorithm used for signing the auth tokens.
+  # It supports all algorithms supported by the jwt gem.
+  # See https://github.com/jwt/ruby-jwt#algorithms-and-usage for supported algorithms
+  # It is "none" by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_algorithm = "HS256"
+
+  # Secret token used to sign authorization tokens
+  # It is `nil` by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_secret = SECRET_TOKEN
+
   # Default sort order for pagination is by id. If you
   # use non sequential ids for user records, uncomment
   # the below line and configure a determinate order.
 require "scim_rails/engine"
 require "scim_rails/config"
+require "scim_rails/encoder"
  
 module ScimRails
 end
@@ -10,6 +10,8 @@ module ScimRails
   end
  
   class Config
+    ALGO_NONE = "none".freeze
+
     attr_accessor \
       :basic_auth_model,
       :basic_auth_model_authenticatable_attribute,
@@ -21,6 +23,8 @@ module ScimRails
       :scim_users_model,
       :scim_users_scope,
       :scim_user_prevent_update_on_create,
+      :signing_secret,
+      :signing_algorithm,
       :user_attributes,
       :user_deprovision_method,
       :user_reprovision_method,
@@ -30,6 +34,7 @@ module ScimRails
       @basic_auth_model = "Company"
       @scim_users_list_order = :id
       @scim_users_model = "User"
+      @signing_algorithm = ALGO_NONE
       @user_schema = {}
       @user_attributes = []
     end
@@ -0,0 +1,25 @@
+require "jwt"
+
+module ScimRails
+  module Encoder
+    extend self
+
+    def encode(company)
+      payload = {
+        iat: Time.current.to_i,
+        ScimRails.config.basic_auth_model_searchable_attribute =>
+          company.public_send(ScimRails.config.basic_auth_model_searchable_attribute)
+      }
+
+      JWT.encode(payload, ScimRails.config.signing_secret, ScimRails.config.signing_algorithm)
+    end
+
+    def decode(token)
+      verify = ScimRails.config.signing_algorithm != ScimRails::Config::ALGO_NONE
+
+      JWT.decode(token, ScimRails.config.signing_secret, verify, algorithm: ScimRails.config.signing_algorithm).first
+    rescue JWT::VerificationError, JWT::DecodeError
+      raise ScimRails::ExceptionHandler::InvalidCredentials
+    end
+  end
+end
 module ScimRails
-  VERSION = '0.2.2'
+  VERSION = '0.3.0'
 end
@@ -18,6 +18,7 @@ Gem::Specification.new do |s|
  
   s.required_ruby_version = "~> 2.4"
   s.add_dependency "rails", ">= 5.0", "< 6.1"
+  s.add_runtime_dependency "jwt", "~> 1.5.1"
   s.test_files = Dir["spec/**/*"]
  
   s.add_development_dependency "bundler", "~> 2.0"
@@ -5,7 +5,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
   let(:credentials) { Base64::encode64("#{company.subdomain}:#{company.api_token}") }
   let(:authorization) { "Basic #{credentials}" }
  
-  def post_request(content_type)
+  def post_request(content_type = "application/scim+json")
     # params need to be transformed into a string to test if they are being parsed by Rack
  
     post "/scim_rails/scim/v2/Users",
@@ -48,4 +48,26 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
       expect(company.users.count).to eq 0
     end
   end
+
+  context "OAuth Bearer Authorization" do
+    context "with valid token" do
+      let(:authorization) { "Bearer #{company.api_token}" }
+
+      it "supports OAuth bearer authorization and succeeds" do
+        expect { post_request }.to change(company.users, :count).from(0).to(1)
+
+        expect(response.status).to eq 201
+      end
+    end
+
+    context "with invalid token" do
+      let(:authorization) { "Bearer #{SecureRandom.hex}" }
+
+      it "The request fails" do
+        expect { post_request }.not_to change(company.users, :count)
+
+        expect(response.status).to eq 401
+      end
+    end
+  end
 end
@@ -7,6 +7,9 @@ ScimRails.configure do |config|
   config.scim_users_scope = :users
   config.scim_users_list_order = :id
  
+  config.signing_algorithm = "HS256"
+  config.signing_secret = "2d6806dd11c2fece2e81b8ca76dcb0062f5b08e28e3264e8ba1c44bbd3578b70"
+
   config.user_deprovision_method = :archive!
   config.user_reprovision_method = :unarchive!
  
@@ -2,6 +2,9 @@ FactoryBot.define do
   factory :company do
     name { "Test Company" }
     subdomain { "test" }
-    api_token { "1" }
+
+    after(:build) do |company|
+      company.api_token = ScimRails::Encoder.encode(company)
+    end
   end
 end
@@ -0,0 +1,62 @@
+require "spec_helper"
+
+describe ScimRails::Encoder do
+  let(:company) { Company.new(subdomain: "test") }
+
+  describe "::encode" do
+    context "with signing configuration" do
+      it "generates a signed token with the company attribute" do
+        token   = ScimRails::Encoder.encode(company)
+        payload = ScimRails::Encoder.decode(token)
+
+        expect(token).to match /[a-z|A-Z|0-9.]{16,}\.[a-z|A-Z|0-9.]{16,}/
+        expect(payload).to contain_exactly(["iat", Integer], ["subdomain", "test"])
+      end
+    end
+
+    context "without signing configuration" do
+      before do
+        allow(ScimRails.config).to receive(:signing_secret).and_return(nil)
+        allow(ScimRails.config).to receive(:signing_algorithm).and_return(ScimRails::Config::ALGO_NONE)
+      end
+
+      it "generates an unsigned token with the company attribute" do
+        token   = ScimRails::Encoder.encode(company)
+        payload = ScimRails::Encoder.decode(token)
+
+        expect(token).to match /[a-z|A-Z|0-9.]{16,}/
+        expect(payload).to contain_exactly(["iat", Integer], ["subdomain", "test"])
+      end
+    end
+  end
+
+  describe "::decode" do
+    let(:token) { ScimRails::Encoder.encode(company) }
+
+    it "raises InvalidCredentials error for an invalid token" do
+      token = "f487bf84bfub4f74fj4894fnh483f4h4u8f"
+      expect { ScimRails::Encoder.decode(token) }.to raise_error ScimRails::ExceptionHandler::InvalidCredentials
+    end
+
+    context "with signing configuration" do
+      it "decodes a signed token, returning the company attributes" do
+        payload = ScimRails::Encoder.decode(token)
+
+        expect(payload).to contain_exactly(["iat", Integer], ["subdomain", "test"])
+      end
+    end
+
+    context "without signing configuration" do
+      before do
+        allow(ScimRails.config).to receive(:signing_secret).and_return(nil)
+        allow(ScimRails.config).to receive(:signing_algorithm).and_return(ScimRails::Config::ALGO_NONE)
+      end
+
+      it "decodes an unsigned token, returning the company attributes" do
+        payload = ScimRails::Encoder.decode(token)
+
+        expect(payload).to contain_exactly(["iat", Integer], ["subdomain", "test"])
+      end
+    end
+  end
+end
@@ -10,6 +10,9 @@ ScimRails.configure do |config|
   config.scim_users_scope = :users
   config.scim_users_list_order = :id
  
+  config.signing_algorithm = "HS256"
+  config.signing_secret = "2d6806dd11c2fece2e81b8ca76dcb0062f5b08e28e3264e8ba1c44bbd3578b70"
+
   config.user_deprovision_method = :archive!
   config.user_reprovision_method = :unarchive!
1	1	PATH
2	2	remote: .
3	3	specs:
4		- scim_rails (0.2.1)
	4	+ scim_rails (0.3.0)
	5	+ jwt (~> 2.2)
5	6	rails (>= 5.0, < 6.1)
6	7
7	8	GEM
...	...	@@ -77,6 +78,7 @@ GEM
77	78	activesupport (>= 4.2.0)
78	79	i18n (1.6.0)
79	80	concurrent-ruby (~> 1.0)
	81	+ jwt (2.2.1)
80	82	loofah (2.3.1)
81	83	crass (~> 1.0.2)
82	84	nokogiri (>= 1.5.9)
...	...	@@ -175,4 +177,4 @@ RUBY VERSION
175	177	ruby 2.4.4p296
176	178
177	179	BUNDLED WITH
178		- 2.0.1
	180	+ 2.0.2
...	...
...	...	@@ -78,6 +78,57 @@ When sending requests to the server the `Content-Type` should be set to `applica
78	78
79	79	All responses will be sent with a `Content-Type` of `application/scim+json`.
80	80
	81	+#### Authentication
	82	+
	83	+This gem supports both basic and OAuth bearer authentication.
	84	+
	85	+##### Basic Auth
	86	+###### Username
	87	+The config setting `basic_auth_model_searchable_attribute` is the model attribute used to authenticate as the `username`. It defaults to `:subdomain`.
	88	+
	89	+Ensure it is unique to the model records.
	90	+
	91	+###### Password
	92	+The config setting `basic_auth_model_authenticatable_attribute` is the model attribute used to authenticate as `password`. Defaults to `:api_token`.
	93	+
	94	+Assuming the attribute is `:api_token`, generate the password using:
	95	+```ruby
	96	+token = ScimRails::Encoder.encode(company)
	97	+# use the token as password for requests
	98	+company.api_token = token # required
	99	+company.save! # don't forget to persist the company record
	100	+```
	101	+
	102	+This is necessary irrespective of your authentication choice(s) - basic auth, oauth bearer or both.
	103	+
	104	+###### Sample Request
	105	+
	106	+```bash
	107	+$ curl -X GET 'http://username:password@localhost:3000/scim/v2/Users'
	108	+```
	109	+
	110	+##### OAuth Bearer
	111	+
	112	+###### Signing Algorithm
	113	+In the config settings, ensure you set `signing_algorithm` to a valid JWT signing algorithm, e.g "HS256". Defaults to `"none"` when not set.
	114	+
	115	+###### Signing Secret
	116	+In the config settings, ensure you set `signing_secret` to a secret key that will be used to encode and decode tokens. Defaults to `nil` when not set.
	117	+
	118	+If you have already generated the `api_token` in the "Basic Auth" section, then use that as your bearer token and ignore the steps below:
	119	+```ruby
	120	+token = ScimRails::Encoder.encode(company)
	121	+# use the token as bearer token for requests
	122	+company.api_token = token #required
	123	+company.save! # don't forget to persist the company record
	124	+```
	125	+
	126	+##### Sample Request
	127	+
	128	+```bash
	129	+$ curl -H 'Authorization: Bearer xxxxxxx.xxxxxx' -X GET 'http://localhost:3000/scim/v2/Users'
	130	+```
	131	+
81	132	### List
82	133
83	134	##### All
...	...
...	...	@@ -9,14 +9,30 @@ module ScimRails
9	9	private
10	10
11	11	def authorize_request
12		- authenticate_with_http_basic do \|username, password\|
	12	+ send(authentication_strategy) do \|searchable_attribute, authentication_attribute\|
13	13	authorization = AuthorizeApiRequest.new(
14		- searchable_attribute: username,
15		- authentication_attribute: password
	14	+ searchable_attribute: searchable_attribute,
	15	+ authentication_attribute: authentication_attribute
16	16	)
17	17	@company = authorization.company
18	18	end
19		- raise ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
	19	+ raise ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
	20	+ end
	21	+
	22	+ def authentication_strategy
	23	+ if request.headers["Authorization"]&.include?("Bearer")
	24	+ :authenticate_with_oauth_bearer
	25	+ else
	26	+ :authenticate_with_http_basic
	27	+ end
	28	+ end
	29	+
	30	+ def authenticate_with_oauth_bearer
	31	+ authentication_attribute = request.headers["Authorization"].split(" ").last
	32	+ payload = ScimRails::Encoder.decode(authentication_attribute).with_indifferent_access
	33	+ searchable_attribute = payload[ScimRails.config.basic_auth_model_searchable_attribute]
	34	+
	35	+ yield searchable_attribute, authentication_attribute
20	36	end
21	37	end
22	38	end
...	...
...	...	@@ -22,6 +22,18 @@ ScimRails.configure do \|config\|
22	22	# or throws an error (returning 409 Conflict in accordance with SCIM spec)
23	23	config.scim_user_prevent_update_on_create = false
24	24
	25	+ # Cryptographic algorithm used for signing the auth tokens.
	26	+ # It supports all algorithms supported by the jwt gem.
	27	+ # See https://github.com/jwt/ruby-jwt#algorithms-and-usage for supported algorithms
	28	+ # It is "none" by default, hence generated tokens are unsigned
	29	+ # The tokens do not need to be signed if you only need basic authentication.
	30	+ # config.signing_algorithm = "HS256"
	31	+
	32	+ # Secret token used to sign authorization tokens
	33	+ # It is `nil` by default, hence generated tokens are unsigned
	34	+ # The tokens do not need to be signed if you only need basic authentication.
	35	+ # config.signing_secret = SECRET_TOKEN
	36	+
25	37	# Default sort order for pagination is by id. If you
26	38	# use non sequential ids for user records, uncomment
27	39	# the below line and configure a determinate order.
...	...
1	1	require "scim_rails/engine"
2	2	require "scim_rails/config"
	3	+require "scim_rails/encoder"
3	4
4	5	module ScimRails
5	6	end
...	...
...	...	@@ -10,6 +10,8 @@ module ScimRails
10	10	end
11	11
12	12	class Config
	13	+ ALGO_NONE = "none".freeze
	14	+
13	15	attr_accessor \
14	16	:basic_auth_model,
15	17	:basic_auth_model_authenticatable_attribute,
...	...	@@ -21,6 +23,8 @@ module ScimRails
21	23	:scim_users_model,
22	24	:scim_users_scope,
23	25	:scim_user_prevent_update_on_create,
	26	+ :signing_secret,
	27	+ :signing_algorithm,
24	28	:user_attributes,
25	29	:user_deprovision_method,
26	30	:user_reprovision_method,
...	...	@@ -30,6 +34,7 @@ module ScimRails
30	34	@basic_auth_model = "Company"
31	35	@scim_users_list_order = :id
32	36	@scim_users_model = "User"
	37	+ @signing_algorithm = ALGO_NONE
33	38	@user_schema = {}
34	39	@user_attributes = []
35	40	end
...	...
...	...	@@ -0,0 +1,25 @@
	1	+require "jwt"
	2	+
	3	+module ScimRails
	4	+ module Encoder
	5	+ extend self
	6	+
	7	+ def encode(company)
	8	+ payload = {
	9	+ iat: Time.current.to_i,
	10	+ ScimRails.config.basic_auth_model_searchable_attribute =>
	11	+ company.public_send(ScimRails.config.basic_auth_model_searchable_attribute)
	12	+ }
	13	+
	14	+ JWT.encode(payload, ScimRails.config.signing_secret, ScimRails.config.signing_algorithm)
	15	+ end
	16	+
	17	+ def decode(token)
	18	+ verify = ScimRails.config.signing_algorithm != ScimRails::Config::ALGO_NONE
	19	+
	20	+ JWT.decode(token, ScimRails.config.signing_secret, verify, algorithm: ScimRails.config.signing_algorithm).first
	21	+ rescue JWT::VerificationError, JWT::DecodeError
	22	+ raise ScimRails::ExceptionHandler::InvalidCredentials
	23	+ end
	24	+ end
	25	+end
...	...
1	1	module ScimRails
2		- VERSION = '0.2.2'
	2	+ VERSION = '0.3.0'
3	3	end
...	...
...	...	@@ -18,6 +18,7 @@ Gem::Specification.new do \|s\|
18	18
19	19	s.required_ruby_version = "~> 2.4"
20	20	s.add_dependency "rails", ">= 5.0", "< 6.1"
	21	+ s.add_runtime_dependency "jwt", "~> 1.5.1"
21	22	s.test_files = Dir["spec/*/"]
22	23
23	24	s.add_development_dependency "bundler", "~> 2.0"
...	...
...	...	@@ -5,7 +5,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
5	5	let(:credentials) { Base64::encode64("#{company.subdomain}:#{company.api_token}") }
6	6	let(:authorization) { "Basic #{credentials}" }
7	7
8		- def post_request(content_type)
	8	+ def post_request(content_type = "application/scim+json")
9	9	# params need to be transformed into a string to test if they are being parsed by Rack
10	10
11	11	post "/scim_rails/scim/v2/Users",
...	...	@@ -48,4 +48,26 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
48	48	expect(company.users.count).to eq 0
49	49	end
50	50	end
	51	+
	52	+ context "OAuth Bearer Authorization" do
	53	+ context "with valid token" do
	54	+ let(:authorization) { "Bearer #{company.api_token}" }
	55	+
	56	+ it "supports OAuth bearer authorization and succeeds" do
	57	+ expect { post_request }.to change(company.users, :count).from(0).to(1)
	58	+
	59	+ expect(response.status).to eq 201
	60	+ end
	61	+ end
	62	+
	63	+ context "with invalid token" do
	64	+ let(:authorization) { "Bearer #{SecureRandom.hex}" }
	65	+
	66	+ it "The request fails" do
	67	+ expect { post_request }.not_to change(company.users, :count)
	68	+
	69	+ expect(response.status).to eq 401
	70	+ end
	71	+ end
	72	+ end
51	73	end
...	...