apill 4.1.0 → 4.2.0

data/lib/apill/tokens/json_web_token.rb.orig

@@ -0,0 +1,62 @@
+require 'jwt'
+require 'json/jwt'
+require 'apill/tokens/json_web_token/invalid'
+require 'apill/tokens/json_web_token/null'
+
+module  Apill
+module  Tokens
+class   JsonWebToken
+  attr_accessor :token
+
+  def initialize(token:)
+    self.token = token
+  end
+
+  def valid?
+    true
+  end
+
+  def blank?
+    false
+  end
+
+  def to_h
+    token
+  end
+
+  def self.convert(raw_token:, token_private_key: Apill.configuration.token_private_key)
+    return JsonWebToken::Null.instance if raw_token.to_s == ''
+
+    decrypted_token = JSON::JWT.decode(raw_token, token_private_key).plain_text
+    decoded_token   = JWT.decode(decrypted_token,
+                                 token_private_key,
+                                 true,
+                                 algorithm:         'RS256',
+                                 verify_expiration: true,
+                                 verify_not_before: true,
+                                 verify_iat:        true,
+                                 leeway:            5,
+                                )
+
+    new(token: decoded_token)
+  rescue JSON::JWT::Exception,
+         JSON::JWT::InvalidFormat,
+         JSON::JWT::VerificationFailed,
+         JSON::JWT::UnexpectedAlgorithm,
+         JWT::DecodeError,
+         JWT::VerificationError,
+         JWT::ExpiredSignature,
+         JWT::IncorrectAlgorithm,
+         JWT::ImmatureSignature,
+         JWT::InvalidIssuerError,
+         JWT::InvalidIatError,
+         JWT::InvalidAudError,
+         JWT::InvalidSubError,
+         JWT::InvalidJtiError,
+         OpenSSL::PKey::RSAError
+
+    JsonWebToken::Invalid.instance
+  end
+end
+end
+end

data/lib/apill/tokens/json_web_tokens/invalid.rb.orig

@@ -0,0 +1,23 @@
+require 'singleton'
+
+module  Apill
+module  Tokens
+module  JsonWebTokens
+class   Invalid
+  include Singleton
+
+  def valid?
+    false
+  end
+
+  def blank?
+    false
+  end
+
+  def to_h
+    [{}, {}]
+  end
+end
+end
+end
+end

data/lib/apill/tokens/json_web_tokens/null.rb.orig

@@ -0,0 +1,23 @@
+require 'singleton'
+
+module  Apill
+module  Tokens
+module  JsonWebTokens
+class   Null
+  include Singleton
+
+  def valid?
+    true
+  end
+
+  def blank?
+    true
+  end
+
+  def to_h
+    [{}, {}]
+  end
+end
+end
+end
+end

data/lib/apill/version.rb

@@ -1,3 +1,3 @@
 module Apill
-  VERSION = '4.1.0'.freeze
+  VERSION = '4.2.0'.freeze
 end

data/spec/apill/authorizers/parameters/filtering_spec.rb

@@ -0,0 +1,70 @@
+require 'rspectacular'
+require 'apill/authorizers/parameters/filtering'
+
+module    Apill
+module    Authorizers
+class     Parameters
+describe  Filtering do
+  let(:params) { { filter: { name: 'Bill', age: 26 } } }
+
+  it 'can authorize new filter parameters', verify: false do
+    filter_params = Filtering.new(token:  '1234',
+                                  user:   '1234',
+                                  params: params)
+
+    allow(params).to receive(:permit)
+
+    filter_params.send(:add_filterable_parameters, :name, :age)
+    filter_params.call
+
+    expect(params).to have_received(:permit).
+                      with(:sort, include(filter: include(:name, :age)))
+  end
+
+  it 'can authorize parameters if they come in as arrays', verify: false do
+    params        = {
+      filter: {
+        name: 'Bill',
+        ary:  %w{hello},
+      },
+    }
+    filter_params = Filtering.new(token:  '1234',
+                                  user:   '1234',
+                                  params: params)
+
+    allow(params).to receive(:permit)
+
+    filter_params.send(:add_filterable_parameters, :name, :ary)
+    filter_params.call
+
+    expect(params).to have_received(:permit).
+                      with(:sort, include(filter: include(:name, ary: [])))
+  end
+
+  it 'has default authorized parameters', verify: false do
+    filter_params = Filtering.new(token:  '1234',
+                                  user:   '1234',
+                                  params: params)
+
+    allow(params).to receive(:permit)
+
+    filter_params.call
+
+    expect(params).to have_received(:permit).
+                      with(:sort,
+                           page:   %i{
+                             number
+                             size
+                             offset
+                             limit
+                             cursor
+                           },
+                           filter: [
+                             :query,
+                             {},
+                           ])
+  end
+end
+end
+end
+end

data/spec/apill/authorizers/parameters/resource_spec.rb

@@ -0,0 +1,11 @@
+require 'rspectacular'
+require 'apill/authorizers/parameters/resource'
+
+module    Apill
+module    Authorizers
+class     Parameters
+describe  Resource do
+end
+end
+end
+end

data/spec/apill/authorizers/parameters_spec.rb

@@ -0,0 +1,16 @@
+require 'rspectacular'
+require 'apill/authorizers/parameters'
+
+module    Apill
+module    Authorizers
+describe  Parameters do
+  it 'defaults to nothing' do
+    parameters = Parameters.new(token:  '123',
+                                user:   'my_user',
+                                params: { foo: 'bar' })
+
+    expect(parameters.call).to eql(foo: 'bar')
+  end
+end
+end
+end

data/spec/apill/authorizers/query_spec.rb

@@ -0,0 +1,20 @@
+require 'rspectacular'
+require 'apill/authorizers/query'
+
+module    Apill
+module    Authorizers
+describe  Query do
+  it 'does not authorize the resource by default' do
+    authorizer = Query.new(token:    '123',
+                           user:     'my_user',
+                           resource: 'my_resource')
+
+    expect(authorizer).to     be_able_to_index
+    expect(authorizer).not_to be_able_to_show
+    expect(authorizer).not_to be_able_to_create
+    expect(authorizer).not_to be_able_to_update
+    expect(authorizer).not_to be_able_to_destroy
+  end
+end
+end
+end

data/spec/apill/authorizers/scope_spec.rb

@@ -0,0 +1,19 @@
+require 'rspectacular'
+require 'ostruct'
+require 'apill/authorizers/scope'
+
+module    Apill
+module    Authorizers
+describe  Scope do
+  it 'defaults to nothing' do
+    scope = Scope.new(token:          '123',
+                      user:           'my_user',
+                      scoped_user_id: '456',
+                      params:         {},
+                      scope_root:     OpenStruct.new(none: []))
+
+    expect(scope.call).to be_empty
+  end
+end
+end
+end

data/spec/apill/middleware/api_request_spec.rb

@@ -132,7 +132,7 @@ describe  ApiRequest, singletons: HumanError::Configuration do
     request = {
       'HTTP_HOST'          => 'api.example.com',
       'HTTP_ACCEPT'        => 'application/vnd.matrix+zion;version=1.0.0',
-      'HTTP_AUTHORIZATION' => "Token #{valid_jwt_token}",
+      'HTTP_AUTHORIZATION' => "Token #{valid_jwe_token}",
       'QUERY_STRING'       => 'accept=application/vnd.matrix+zion;version=1.0.0',
     }
 
@@ -150,7 +150,7 @@ describe  ApiRequest, singletons: HumanError::Configuration do
     request = {
       'HTTP_HOST'          => 'api.example.com',
       'HTTP_ACCEPT'        => 'application/vnd.matrix+zion;version=1.0.0',
-      'HTTP_AUTHORIZATION' => "Token #{invalid_jwt_token}",
+      'HTTP_AUTHORIZATION' => "Token #{invalid_jwe_token}",
       'QUERY_STRING'       => 'accept=application/vnd.matrix+zion;version=1.0.0',
     }
 

data/spec/apill/requests/rack_spec.rb

@@ -54,7 +54,7 @@ describe  Rack do
 
   it 'finds the authorization token from the header' do
     raw_request = {
-      'HTTP_AUTHORIZATION' => "Token #{valid_jwt_token}",
+      'HTTP_AUTHORIZATION' => "Token #{valid_jwe_token}",
       'QUERY_STRING'       => '',
     }
     request     = Rack.new(token_private_key: test_private_key,
@@ -98,7 +98,7 @@ describe  Rack do
 
   it 'ignores incorrectly passed in tokens since we do not know what to do' do
     raw_request = {
-      'HTTP_AUTHORIZATION' => "#{valid_jwt_token}",
+      'HTTP_AUTHORIZATION' => "#{valid_jwe_token}",
       'QUERY_STRING'       => '',
     }
     request     = Rack.new(token_private_key: test_private_key,
@@ -112,8 +112,8 @@ describe  Rack do
      'the header is invalid and the authorization token from the params is valid' do
 
     raw_request = {
-      'HTTP_AUTHORIZATION' => "Token #{invalid_jwt_token}",
-      'QUERY_STRING'       => "token_jwt=#{valid_jwt_token}",
+      'HTTP_AUTHORIZATION' => "Token #{invalid_jwe_token}",
+      'QUERY_STRING'       => "token_jwt=#{valid_jwe_token}",
     }
     request     = Rack.new(token_private_key: test_private_key,
                            request:           raw_request)
@@ -130,7 +130,7 @@ describe  Rack do
      'the header is not present and the authorization token from the params is valid' do
 
     raw_request = {
-      'QUERY_STRING' => "token_jwt=#{valid_jwt_token}",
+      'QUERY_STRING' => "token_jwt=#{valid_jwe_token}",
     }
     request     = Rack.new(token_private_key: test_private_key,
                            request:           raw_request)
@@ -156,7 +156,7 @@ describe  Rack do
 
   it 'finds the JSON web token from the params' do
     raw_request = {
-      'QUERY_STRING' => "token_jwt=#{valid_jwt_token}",
+      'QUERY_STRING' => "token_jwt=#{valid_jwe_token}",
     }
     request     = Rack.new(token_private_key: test_private_key,
                            request:           raw_request)
@@ -193,7 +193,7 @@ describe  Rack do
     expect(request.authorization_token_from_params).not_to be_blank
 
     raw_request = {
-      'QUERY_STRING' => "token_jwt=#{invalid_jwt_token}",
+      'QUERY_STRING' => "token_jwt=#{invalid_jwe_token}",
     }
     request     = Rack.new(token_private_key: test_private_key,
                            request:           raw_request)

data/spec/apill/requests/rails_spec.rb

@@ -45,7 +45,7 @@ describe  Rails do
   it 'finds the authorization token from the header' do
     raw_request = OpenStruct.new(
                     headers: {
-                      'HTTP_AUTHORIZATION' => "Token #{valid_jwt_token}",
+                      'HTTP_AUTHORIZATION' => "Token #{valid_jwe_token}",
                     },
                     params:  {})
     request     = Rails.new(token_private_key: test_private_key,
@@ -90,7 +90,7 @@ describe  Rails do
   it 'ignores incorrectly passed in tokens since we do not know what to do' do
     raw_request = OpenStruct.new(
                     headers: {
-                      'HTTP_AUTHORIZATION' => "#{valid_jwt_token}",
+                      'HTTP_AUTHORIZATION' => "#{valid_jwe_token}",
                     },
                     params:  {})
     request     = Rails.new(token_private_key: test_private_key,
@@ -105,9 +105,9 @@ describe  Rails do
 
     raw_request = OpenStruct.new(
                     headers: {
-                      'HTTP_AUTHORIZATION' => "Token #{invalid_jwt_token}",
+                      'HTTP_AUTHORIZATION' => "Token #{invalid_jwe_token}",
                     },
-                    params:  { 'token_jwt' => valid_jwt_token })
+                    params:  { 'token_jwt' => valid_jwe_token })
     request     = Rails.new(token_private_key: test_private_key,
                             request:           raw_request)
 
@@ -124,7 +124,7 @@ describe  Rails do
 
     raw_request = OpenStruct.new(
                     headers: {},
-                    params:  { 'token_jwt' => valid_jwt_token })
+                    params:  { 'token_jwt' => valid_jwe_token })
     request     = Rails.new(token_private_key: test_private_key,
                             request:           raw_request)
 
@@ -150,7 +150,7 @@ describe  Rails do
   it 'finds the JSON web token from the params' do
     raw_request = OpenStruct.new(
                     headers: {},
-                    params:  { 'token_jwt' => valid_jwt_token })
+                    params:  { 'token_jwt' => valid_jwe_token })
     request     = Rails.new(token_private_key: test_private_key,
                             request:           raw_request)
 
@@ -187,7 +187,7 @@ describe  Rails do
 
     raw_request = OpenStruct.new(
                     headers: {},
-                    params:  { 'token_jwt' => invalid_jwt_token })
+                    params:  { 'token_jwt' => invalid_jwe_token })
     request     = Rails.new(token_private_key: test_private_key,
                             request:           raw_request)
 

data/spec/apill/tokens/json_web_token_spec.rb

@@ -4,46 +4,131 @@ require 'apill/tokens/json_web_token'
 module    Apill
 module    Tokens
 describe  JsonWebToken do
-  it 'can convert an empty token' do
-    token = JsonWebToken.convert(token_private_key: test_private_key,
-                                 raw_token:         nil)
+  it 'can convert an empty encrypted token' do
+    token = JsonWebToken.from_jwe(nil,
+                                  private_key: test_private_key)
 
     expect(token).to be_a JsonWebTokens::Null
   end
 
-  it 'can convert an invalid token' do
-    token = JsonWebToken.convert(token_private_key: test_private_key,
-                                 raw_token:         invalid_jwt_token)
+  it 'can convert an invalid encrypted token' do
+    token = JsonWebToken.from_jwe(invalid_jwe_token,
+                                  private_key: test_private_key)
 
     expect(token).to be_a JsonWebTokens::Invalid
   end
 
-  it 'can verify an expired token' do
-    expired_jwe = valid_jwt_token('exp' => 1.day.ago.to_i,
+  it 'can verify an expired encrypted token' do
+    expired_jwe = valid_jwe_token('exp' => 1.day.ago.to_i,
                                   'baz' => 'bar')
-    token       = JsonWebToken.convert(
-                    token_private_key: test_private_key,
-                    raw_token:         expired_jwe)
+    token       = JsonWebToken.from_jwe(expired_jwe,
+                                        private_key: test_private_key)
 
     expect(token).to be_a JsonWebTokens::Invalid
   end
 
-  it 'can convert an invalidly signed token' do
+  it 'can convert an invalidly signed encrypted token' do
     other_private_key = OpenSSL::PKey::RSA.new(2048)
-    token             = JsonWebToken.convert(
-                          token_private_key: other_private_key,
-                          raw_token:         valid_jwt_token)
+    token             = JsonWebToken.from_jwe(valid_jwe_token,
+                                              private_key: other_private_key)
 
     expect(token).to be_a JsonWebTokens::Invalid
   end
 
-  it 'can convert a valid token' do
-    token = JsonWebToken.convert(token_private_key: test_private_key,
-                                 raw_token:         valid_jwt_token)
+  it 'can convert a valid encrypted token' do
+    token = JsonWebToken.from_jwe(valid_jwe_token,
+                                  private_key: test_private_key)
 
     expect(token).to      be_a JsonWebToken
     expect(token.to_h).to eql([{ 'bar' => 'baz' }, { 'typ' => 'JWT', 'alg' => 'RS256' }])
   end
+
+  it 'can convert an empty signed token' do
+    token = JsonWebToken.from_jws(nil,
+                                  private_key: test_private_key)
+
+    expect(token).to be_a JsonWebTokens::Null
+  end
+
+  it 'can verify an expired signed token' do
+    expired_jws = valid_jws_token('exp' => 1.day.ago.to_i,
+                                  'baz' => 'bar')
+    token       = JsonWebToken.from_jws(expired_jws,
+                                        private_key: test_private_key)
+
+    expect(token).to be_a JsonWebTokens::Invalid
+  end
+
+  it 'can convert an invalidly signed token' do
+    other_private_key             = OpenSSL::PKey::RSA.new(2048)
+    token_signed_with_another_key = JsonWebToken.from_jws(valid_jws_token,
+                                                          private_key: other_private_key)
+    invalid_token                 = JsonWebToken.from_jws(invalid_jws_token,
+                                                          private_key: test_private_key)
+
+    expect(token_signed_with_another_key).to be_a JsonWebTokens::Invalid
+    expect(invalid_token).to                 be_a JsonWebTokens::Invalid
+  end
+
+  it 'can convert a valid signed token' do
+    token = JsonWebToken.from_jws(valid_jws_token,
+                                  private_key: test_private_key)
+
+    expect(token).to      be_a JsonWebToken
+    expect(token.to_h).to eql([{ 'bar' => 'baz' }, { 'typ' => 'JWT', 'alg' => 'RS256' }])
+  end
+
+  it 'can transform into a JWT' do
+    token = JsonWebToken.new(data:        { 'foo' => 'bar' },
+                             private_key: test_private_key)
+
+    jwt   = token.to_jwt
+    jwt_s = token.to_jwt_s
+
+    expect(jwt.to_h).to eql('foo' => 'bar')
+    expect(jwt_s).to    eql('eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJmb28iOiJiYXIifQ.')
+  end
+
+  # rubocop:disable Metrics/LineLength
+  it 'can transform into a JWS and back' do
+    token = JsonWebToken.new(data:        { 'foo' => 'bar' },
+                             private_key: test_private_key)
+
+    jws   = token.to_jws
+    jws_s = token.to_jws_s
+
+    expect(jws.to_h).to eql('foo' => 'bar')
+    expect(jws_s).to    eql('eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.DhPBu9Bfha08hSoy1a8Ps5YGxv2_KJCoNALH8dzd8b_VgKCPRQlIaHZwQfS5N1yfZczc2EqXIhPma4I2i-L92oDxyugZYfhMH6XUXSgB6F7SU5WtiglQ8gfgxC_u_K5htD_6zpRaHi6UTNbG8NF3RFBYK9za4GFPPWQawRQpdH2CxjyZP6pilmkynLuKx0OeQbJf1yzdgn1cDt60M8uoZZTzPgoU598ilDjYEETwyGyCi79S3A3ix8oDaJLhM8stPOHLUeglKrkwxOFglzVs7bULjzxZlygZujsHfWu16cjp_P3b4TIH_hiH0-Cjin-EVt4va2TnfGJ8HDxHxzWn7g')
+
+    converted_token = JsonWebToken.from_jws(jws_s,
+                                            private_key: test_private_key)
+
+    expect(converted_token.to_h).to eql [
+      { 'foo' => 'bar' },
+      { 'typ' => 'JWT', 'alg' => 'RS256' },
+    ]
+  end
+  # rubocop:enable Metrics/LineLength
+
+  # rubocop:disable Metrics/LineLength
+  it 'can transform into a JWE and back' do
+    token = JsonWebToken.new(data:        { 'foo' => 'bar' },
+                             private_key: test_private_key)
+
+    jwe   = token.to_jwe
+    jwe_s = token.to_jwe_s
+
+    expect(jwe.plain_text).to eql('eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.DhPBu9Bfha08hSoy1a8Ps5YGxv2_KJCoNALH8dzd8b_VgKCPRQlIaHZwQfS5N1yfZczc2EqXIhPma4I2i-L92oDxyugZYfhMH6XUXSgB6F7SU5WtiglQ8gfgxC_u_K5htD_6zpRaHi6UTNbG8NF3RFBYK9za4GFPPWQawRQpdH2CxjyZP6pilmkynLuKx0OeQbJf1yzdgn1cDt60M8uoZZTzPgoU598ilDjYEETwyGyCi79S3A3ix8oDaJLhM8stPOHLUeglKrkwxOFglzVs7bULjzxZlygZujsHfWu16cjp_P3b4TIH_hiH0-Cjin-EVt4va2TnfGJ8HDxHxzWn7g')
+
+    converted_token = JsonWebToken.from_jwe(jwe_s,
+                                            private_key: test_private_key)
+
+    expect(converted_token.to_h).to eql [
+      { 'foo' => 'bar' },
+      { 'typ' => 'JWT', 'alg' => 'RS256' },
+    ]
+  end
+  # rubocop:enable Metrics/LineLength
 end
 end
 end