Class: Himari::Services::DownstreamAuthorization

Inherits:

Object

• Object
• Himari::Services::DownstreamAuthorization

Defined in:

lib/himari/services/downstream_authorization.rb

Defined Under Namespace

Classes: ForbiddenError, Result

Class Method Summary

• .from_request(session:, client:, request:, requested_scopes:, grant_type: :initial) ⇒ Object

Instance Method Summary

• #initialize(session:, client:, requested_scopes:, grant_type: :initial, request: nil, authz_rules: [], logger: nil) ⇒ DownstreamAuthorization constructor

  A new instance of DownstreamAuthorization.

• #perform ⇒ Object

Constructor Details

#initialize(session:, client:, requested_scopes:, grant_type: :initial, request: nil, authz_rules: [], logger: nil) ⇒ DownstreamAuthorization

Returns a new instance of DownstreamAuthorization.

Parameters:

• session (Himari::SessionData)
• client (Himari::ClientRegistration)
• request (Rack::Request) (defaults to: nil) —

  exposed to rules as context.request (an escape hatch); the engine never reads it, so requested scopes are supplied explicitly, never derived from it.

• requested_scopes (Array<String>) —

  scopes asked for, before the client’s allow-list filter. The caller supplies them from the appropriate source: the authorization endpoint passes the request’s parsed scope, the refresh flow the scopes recorded on the grant.

• authz_rules (Array<Himari::Rule>) (defaults to: []) —

  Authorization Rules

• logger (Logger) (defaults to: nil)

# File 'lib/himari/services/downstream_authorization.rb', line 49

def initialize(session:, client:, requested_scopes:, grant_type: :initial, request: nil, authz_rules: [], logger: nil)
  @session = session
  @client = client
  @grant_type = grant_type
  @request = request
  @requested_scopes = requested_scopes
  @authz_rules = authz_rules
  @logger = logger
end

Class Method Details

.from_request(session:, client:, request:, requested_scopes:, grant_type: :initial) ⇒ Object

Parameters:

• session (Himari::SessionData)
• client (Himari::ClientRegistration)
• request (Rack::Request)
• requested_scopes (Array<String>) —

  see #initialize; always supplied by the caller

# File 'lib/himari/services/downstream_authorization.rb', line 63

def self.from_request(session:, client:, request:, requested_scopes:, grant_type: :initial)
  new(
    session: session,
    client: client,
    grant_type: grant_type,
    request: request,
    requested_scopes: requested_scopes,
    authz_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthorizationRule::RACK_KEY] || []).collect,
    logger: request.env['rack.logger'],
  )
end

Instance Method Details

#perform ⇒ Object

Raises:

• (ForbiddenError)

# File 'lib/himari/services/downstream_authorization.rb', line 75

def perform
  scopes = @client.filter_scopes(@requested_scopes)
  context = Himari::Decisions::Authorization::Context.new(claims: @session.claims, user_data: @session.user_data, request: @request, client: @client, scopes: scopes, grant_type: @grant_type).freeze

  authorization = Himari::RuleProcessor.new(context, Himari::Decisions::Authorization.new(claims: @session.claims.dup)).run(@authz_rules)
  raise ForbiddenError.new(Result.new(@client, nil, scopes, nil, nil, authorization)) unless authorization.allowed

  claims = authorization.decision.output_claims
  lifetime = authorization.decision.lifetime
  mint_jwt_access_token = authorization.decision.mint_jwt_access_token
  Result.new(@client, claims, scopes, lifetime, mint_jwt_access_token, authorization)
end