Class: Google

Inherits:
Object
  • Object
show all
Defined in:
lib/ops/oauth2/google.rb

Overview

Basic support of google oauth2

Instance Method Summary collapse

Instance Method Details

#access_token(params) ⇒ Object 



93
94
95
96
 
# File 'lib/ops/oauth2/google.rb', line 93

def access_token(params)
  response = verify(params[:code])
  response.dig('access_token')
end

#authorize(s) ⇒ Object 



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 
# File 'lib/ops/oauth2/google.rb', line 98

def authorize(s)
  if s.params.key? 'code'
    # Make sure we got an access token, otherwise redirect to auth page
    at = access_token(s.params)
    return Auth.go_to_auth(s.cookies, s.request) unless at

    # Get google user info and make sure it's permitted to get auth.
    ui = (at)
    return 403 unless permitted?(ui)

    # Naive sanity check of google response
    return Auth.go_to_auth(s.cookies, s.request) unless ui.key? 'email'

    # Now we're safe to authorize => set cookies
    Auth.authorize(ui, s.request).each do |cookie, value|
      s.cookies.set(cookie, value: value, expires: Time.now + Auth.cookie_ttl)
    end

    # Redirect user to the original page if redirect cookie present.
    if s.cookies.key?(Auth.cookie_name_redirect)
  redirect_url = s.cookies[Auth.cookie_name_redirect]
  s.cookies.delete(Auth.cookie_name_redirect)
  s.redirect redirect_url
    end

    # Redirect to default page if you don't have redirect cookie
    s.redirect Auth.default_redirect_page
  else
    Auth.go_to_auth(s.cookies, request)
  end
end

#configurationObject 



50
51
52
53
54
 
# File 'lib/ops/oauth2/google.rb', line 50

def configuration
  @configuration ||= JSON.parse(File.read(configuration_file))
rescue
  abort("Missing or invalid #{configuration_file}")
end

#configuration_fileObject 



46
47
48
 
# File 'lib/ops/oauth2/google.rb', line 46

def configuration_file
  '/etc/oauth2/oauth2.conf'
end

#google_whitelisted_domainsObject 



26
27
28
 
# File 'lib/ops/oauth2/google.rb', line 26

def google_whitelisted_domains
  ENV['GOOGLE_WHITELISTED_DOMAINS'] || configuration.dig('google', 'whitelisted_domains') || abort('Missing GOOGLE_WHITELISTED_DOMAINS')
end

#google_whitelisted_emailsObject 



30
31
32
 
# File 'lib/ops/oauth2/google.rb', line 30

def google_whitelisted_emails
  ENV['GOOGLE_WHITELISTED_EMAILS'] || configuration.dig('google', 'whitelisted_emails') || abort('Missing GOOGLE_WHITELISTED_EMAILS')
end

#oauth_auth_redirectObject 



67
68
69
70
71
72
73
 
# File 'lib/ops/oauth2/google.rb', line 67

def oauth_auth_redirect
  [
    oauth_auth_url,
    '?',
    oauth_auth_url_params
  ].join
end

#oauth_auth_urlObject 



34
35
36
 
# File 'lib/ops/oauth2/google.rb', line 34

def oauth_auth_url
  'https://accounts.google.com/o/oauth2/auth'
end

#oauth_auth_url_paramsObject 



56
57
58
59
60
61
62
63
64
65
 
# File 'lib/ops/oauth2/google.rb', line 56

def oauth_auth_url_params
  [
    "client_id=#{oauth_client_id}",
    'scope=email',
    'response_type=code',
    "redirect_uri=#{CGI.escape(redirect_url)}",
    "state=#{CGI.escape(state_url)}",
    'login_hint='
  ].join('&')
end

#oauth_client_idObject 



14
15
16
 
# File 'lib/ops/oauth2/google.rb', line 14

def oauth_client_id
  ENV['GOOGLE_OAUTH_CLIENT_ID'] || configuration.dig('google', 'oauth_client_id') || abort('Missing GOOGLE_OAUTH_CLIENT_ID')
end

#oauth_client_secretObject 



10
11
12
 
# File 'lib/ops/oauth2/google.rb', line 10

def oauth_client_secret
  ENV['GOOGLE_OAUTH_CLIENT_SECRET'] || configuration.dig('google', 'oauth_client_secret') || abort('Missing GOOGLE_OAUTH_CLIENT_SECRET')
end

#oauth_token_urlObject 



38
39
40
 
# File 'lib/ops/oauth2/google.rb', line 38

def oauth_token_url
  'https://accounts.google.com/o/oauth2/token'
end

#oauth_userinfo_urlObject 



42
43
44
 
# File 'lib/ops/oauth2/google.rb', line 42

def oauth_userinfo_url
  'https://www.googleapis.com/oauth2/v2/userinfo'
end

#permitted?(user_info) ⇒ Boolean

Returns:

  • (Boolean) 


75
76
77
78
79
80
81
82
83
84
 
# File 'lib/ops/oauth2/google.rb', line 75

def permitted?()
  email = .dig('email')
  return false unless email
  _, domain = email.split('@')
  return true if google_whitelisted_emails.include? email
  return true if google_whitelisted_domains.include? domain
  false
rescue
  false
end

#redirect_urlObject 



18
19
20
 
# File 'lib/ops/oauth2/google.rb', line 18

def redirect_url
  ENV['GOOGLE_OAUTH_REDIRECT_URL'] || configuration.dig('google', 'oauth_redirect_url') || abort('Missing GOOGLE_OAUTH_REDIRECT_URL')
end

#state_urlObject 



22
23
24
 
# File 'lib/ops/oauth2/google.rb', line 22

def state_url
  ENV['OAUTH_SERVER_URL'] || configuration.dig('google', 'oauth_server_url') || abort('Missing OAUTH_SERVER_URL')
end

#user_info(authorization) ⇒ Object 



86
87
88
89
90
91
 
# File 'lib/ops/oauth2/google.rb', line 86

def (authorization)
  headers = {
    'Authorization' => "Bearer #{authorization}"
  }
  HTTParty.get(oauth_userinfo_url, headers: headers)
end

#verify(code) ⇒ Object 



130
131
132
133
134
135
136
137
138
139
140
141
 
# File 'lib/ops/oauth2/google.rb', line 130

def verify(code)
  options = {
    body: {
      client_id: oauth_client_id,
      client_secret: oauth_client_secret,
      code: code,
      redirect_uri: redirect_url,
      grant_type: 'authorization_code'
    }
  }
  HTTParty.post(oauth_token_url, options)
end