Fix pronto errors

3 files changed, 121 insertions, 0 deletions

diff --git a/lib/api/openid_connect/authorization_point/endpoint.rb b/lib/api/openid_connect/authorization_point/endpoint.rb
new file mode 100644
index 000000000..29d010f91
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint.rb
@@ -0,0 +1,58 @@
+module Api
+  module OpenidConnect
+    module AuthorizationPoint
+      class Endpoint
+        attr_accessor :app, :user, :o_auth_application, :redirect_uri, :response_type,
+                      :scopes, :_request_, :request_uri, :request_object, :nonce
+        delegate :call, to: :app
+
+        def initialize(current_user)
+          @user = current_user
+          @app = Rack::OAuth2::Server::Authorize.new do |req, res|
+            build_attributes(req, res)
+            if OAuthApplication.available_response_types.include? Array(req.response_type).map(&:to_s).join(" ")
+              handle_response_type(req, res)
+            else
+              req.unsupported_response_type!
+            end
+          end
+        end
+
+        def build_attributes(req, res)
+          build_client(req)
+          build_redirect_uri(req, res)
+          verify_nonce(req, res)
+          build_scopes(req)
+        end
+
+        def handle_response_type(_req, _res)
+          # Implemented by subclass
+        end
+
+        private
+
+        def build_client(req)
+          @o_auth_application = OAuthApplication.find_by_client_id(req.client_id) || req.bad_request!
+        end
+
+        def build_redirect_uri(req, res)
+          res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@o_auth_application.redirect_uris)
+        end
+
+        def verify_nonce(req, res)
+          req.invalid_request! "nonce required" if res.protocol_params_location == :fragment && req.nonce.blank?
+        end
+
+        def build_scopes(req)
+          @scopes = req.scope.map {|scope_name|
+            OpenidConnect::Scope.where(name: scope_name).first.tap do |scope|
+              req.invalid_scope! "Unknown scope: #{scope}" unless scope
+            end
+          }
+        end
+
+        # TODO: buildResponseType(req)
+      end
+    end
+  end
+end
diff --git a/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
new file mode 100644
index 000000000..a500b9dcc
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
@@ -0,0 +1,50 @@
+module Api
+  module OpenidConnect
+    module AuthorizationPoint
+      class EndpointConfirmationPoint < Endpoint
+        def initialize(current_user, approved=false)
+          super(current_user)
+          @approved = approved
+        end
+
+        def handle_response_type(req, res)
+          handle_approval(@approved, req, res)
+        end
+
+        def handle_approval(approved, req, res)
+          if approved
+            approved!(req, res)
+          else
+            req.access_denied!
+          end
+        end
+
+        # TODO: Add support for request object and auth code
+        def approved!(req, res)
+          auth = OpenidConnect::Authorization.find_or_create_by(o_auth_application: @o_auth_application, user: @user)
+          auth.scopes << @scopes
+          handle_approved_response_type(auth, req, res)
+          res.approve!
+        end
+
+        def handle_approved_response_type(auth, req, res)
+          response_types = Array(req.response_type)
+          handle_approved_access_token(auth, res, response_types)
+          handle_approved_id_token(auth, req, res, response_types)
+        end
+
+        def handle_approved_access_token(auth, res, response_types)
+          return unless response_types.include?(:token)
+          res.access_token = auth.create_access_token
+        end
+
+        def handle_approved_id_token(auth, req, res, response_types)
+          return unless response_types.include?(:id_token)
+          id_token = auth.create_id_token(req.nonce)
+          access_token_value = res.respond_to?(:access_token) ? res.access_token : nil
+          res.id_token = id_token.to_jwt(code: nil, access_token: access_token_value)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/api/openid_connect/authorization_point/endpoint_start_point.rb b/lib/api/openid_connect/authorization_point/endpoint_start_point.rb
new file mode 100644
index 000000000..69667cd0e
--- /dev/null
+++ b/lib/api/openid_connect/authorization_point/endpoint_start_point.rb
@@ -0,0 +1,13 @@
+module Api
+  module OpenidConnect
+    module AuthorizationPoint
+      class EndpointStartPoint < Endpoint
+        def handle_response_type(req, _res)
+          @response_type = req.response_type
+        end
+
+        # TODO: buildRequestObject(req)
+      end
+    end
+  end
+end