authress-sdk 2.0.40.0 → 2.0.43.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3da3bb4308826d29d25cf3e139f9badc7dc83093639761fdcc1d0e04738a1c3a
-  data.tar.gz: '0095c6dda00f393821a3aa4aaa109cad0e9ea9fdcb2f5a649e98cbbd24ea9360'
+  metadata.gz: 8d32ad65dcb072b5d8a7365e5859fc3342ae2425945380781707650a19f9926c
+  data.tar.gz: f81db7d0bc6e7fd9c5d1217f6cd87d02a3ce8dffd8e8e69e0ae95109ab33944c
 SHA512:
-  metadata.gz: b77a612ba6dbd1e1fb1b2df5769a30023244c4001327395eb379259f24696a7ccc001a40a4df72a52bf1362fcf07471f5341d8058ee04ad6e7ba970c9ddac8ed
-  data.tar.gz: 60823e8578a1f7862364ee3a88a6b9429f25c3c6b5e1e01c8a06eea0f0b63beae4a293a8a9852e4570295b42fecf868dfa0d2e6b1fa58eb35c685060a8660dfe
+  metadata.gz: 26e8f74c75866011ca9462cf00388401a1d7e402925013e588aaed065cebd8ff6662ce5fe95ce9d98dcdc4d69693e711a862566b1b4c04120b30ab31700b8c62
+  data.tar.gz: e7aacd4c91af4346b2c3ae79687335e5394fa811d2ceca575ddd531f9789dc9dddfffe2162cce941e1a4025b1228047247130141a3bb26930387f8325040a16f

data/README.md

@@ -1,3 +1,7 @@
+<p id="main" align="center">
+  <img src="https://authress.io/static/images/linkedin-banner.png" alt="Authress media banner">
+</p>
+
 # Authress SDK for Ruby
 This is the Authress SDK used to integrate with the authorization as a service provider Authress at https://authress.io.
 
@@ -74,7 +78,7 @@ end
 
 # on api route
 [route('/resources/<resourceId>')]
-def getResource(resourceId) {
+def getResource(resourceId)
   # Check Authress to authorize the user
   user_identity = AuthressSdk::AuthressClient.verify_token(request.headers.get('authorization'))
 
@@ -82,6 +86,7 @@ def getResource(resourceId) {
   user_id = user_identity.sub
   resource_uri = "resources/#{resourceId}" # String | The uri path of a resource to validate, must be URL encoded, uri segments are allowed, the resource must be a full path, and permissions are not inherited by sub-resources.
   permission = 'READ' # String | Permission to check, '*' and scoped permissions can also be checked here.
+
   begin
     # Check to see if a user has permissions to a resource.
     api_instance = AuthressSdk::UserPermissionsApi.new
@@ -126,4 +131,4 @@ rescue AuthressSdk::ApiError => e
   puts "Exception when calling AccessRecordsApi->create_record: #{e}"
   raise
 end
-```
+```

data/lib/authress-sdk/authress_client.rb

@@ -20,6 +20,9 @@ module AuthressSdk
     # Token Provider
     attr_accessor :token_provider
 
+    # The Token verifier
+    attr_accessor :token_verifier
+
     # Initializes the AuthressClient
     def initialize()
       @config = {
@@ -29,6 +32,7 @@ module AuthressSdk
       }
 
       @token_provider = ConstantTokenProvider.new(nil)
+      @token_verifier = TokenVerifier.new()
     end
 
     def self.default
@@ -297,5 +301,12 @@ module AuthressSdk
         obj
       end
     end
+
+    # Verify a JWT token
+    # @param [String] The JWT token
+    # @return [Object] Returns a Map of user identity properties
+    def verify_token(token)
+      @token_verifier.verify_token(custom_domain_url, token)
+    end
   end
 end

data/lib/authress-sdk/omniauth.rb

@@ -146,7 +146,7 @@ module OmniAuth
             env['omniauth.auth'] = auth_hash
             call_app!
           end
-        rescue AuthressSdk::TokenValidationError => e
+        rescue AuthressSdk::TokenVerificationError => e
           fail!(:token_validation_error, e)
         rescue ::OAuth2::Error, CallbackError => e
           fail!(:invalid_credentials, e)

data/lib/authress-sdk/service_client_token_provider.rb

@@ -1,17 +1,90 @@
-require 'date'
+require 'time'
 require 'json'
 require 'logger'
 require 'uri'
 
 module AuthressSdk
   class ServiceClientTokenProvider    
-    def initialize(client_access_key)
+    def initialize(client_access_key, custom_domain_url = nil)
+      @custom_domain_url = custom_domain_url
       @client_access_key = client_access_key
+      @cachedKeyData = nil
+    end
+
+    def sanitizeUrl(url)
+      if url.nil?
+        return nil
+      end
+
+      if (url.match(/^http/))
+        return url
+      end
+    
+      if (url.match(/^localhost/))
+        return "http://#{url}"
+      end
+    
+      return "https://#{url}"
+    end
+
+    def get_issuer(unsanitizedAuthressCustomDomain, decodedAccessKey)
+      authressCustomDomain = sanitizeUrl(@custom_domain_url).gsub(/\/+$/, '')
+      return "#{authressCustomDomain}/v1/clients/#{decodedAccessKey.clientId}"
     end
 
     def get_token()
-      # TODO: This should use the JWT creation strategy and not the client api token one
-      @client_access_key
+      if @cachedKeyData && @cachedKeyData.token && Time.now().to_i() + 3600 < @cachedKeyData.expiresAtInSeconds
+        return @cachedKeyData.token
+      end
+
+      accountId = @client_access_key.split('.')[2];
+      decodedAccessKeyHash = {
+        clientId: @client_access_key.split('.')[0],
+        keyId: @client_access_key.split('.')[1],
+        audience: "#{accountId}.accounts.authress.io",
+        privateKey: @client_access_key.split('.')[3]
+      }
+      decodedAccessKey = Struct.new(*decodedAccessKeyHash.keys).new(*decodedAccessKeyHash.values)
+
+      now = Time.now().to_i()
+      jwt = {
+        aud: decodedAccessKey.audience,
+        iss: get_issuer(@custom_domain_url || "#{accountId}.api.authress.io", decodedAccessKey),
+        sub: decodedAccessKey.clientId,
+        client_id: decodedAccessKey.clientId,
+        iat: now,
+        # valid for 24 hours
+        exp: now + 60 * 60 * 24,
+        scope: 'openid'
+      }
+
+      if decodedAccessKey.privateKey.nil?
+        raise Exception("Invalid Service Client Access Key")
+      end
+
+      return decodedAccessKey.privateKey
+
+      # The Ed25519 module is broken right now and doesn't accept valid private keys.
+      # private_key = RbNaCl::Signatures::Ed25519::SigningKey.new(Base64.decode64(decodedAccessKey.privateKey)[0, 32])
+      
+      # token = JWT.encode(jwt, private_key, 'ED25519', { typ: 'at+jwt', alg: 'EdDSA', kid: decodedAccessKey.keyId })
+      # @cachedKeyData = { token: token, expires: jwt['exp'] }
+      # return token
     end
   end
 end
+
+module JWTExtensions
+  # Fixed because https://github.com/jwt/ruby-jwt/issues/334 is still broken
+  def encode_header
+    # https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/encode.rb#L17
+    @headers["alg"] = @headers["alg"].downcase == "ed25519" ? "EdDSA" : @headers["alg"]
+    super
+  end
+end
+
+module JWT
+  class Encode
+    prepend JWTExtensions
+  end
+end

data/lib/authress-sdk/token_validator.rb

@@ -1,13 +1,113 @@
 require 'base64'
 require 'uri'
 require 'json'
+require 'jwt'
 
 module AuthressSdk
-  class TokenValidationError < StandardError
-    attr_reader :error_reason
-    def initialize(msg)
-      @error_reason = msg
-      super(msg)
+  class TokenVerifier
+   
+    attr_accessor :key_map
+
+    def initialize()
+      @key_map = {}
+    end
+    
+    def verify_token(authressCustomDomain, token)
+      sanitized_domain = authressCustomDomain.gsub(/https?:\/\//, '')
+      completeIssuerUrl = "https://#{sanitized_domain}"
+      if token.nil?
+        raise TokenVerificationError.new("Unauthorized: No token specified")
+      end
+
+      begin
+        authenticationToken = token
+        unverifiedPayload = JWT.decode(authenticationToken, nil, false)
+      rescue JWT::DecodeError
+        begin
+          serviceClient = AuthressSdk::ServiceClientTokenProvider.new(token, completeIssuerUrl)
+          authenticationToken = serviceClient.get_token()
+          unverifiedPayload = JWT.decode(authenticationToken, nil, false)
+        rescue Exception => e
+          raise TokenVerificationError.new("Unauthorized: Invalid Token format: #{e}")
+        end
+      end
+
+      if unverifiedPayload.nil?
+        raise TokenVerificationError.new("Unauthorized: Invalid Token or Token not found")
+      end
+
+      kid = unverifiedPayload[1]["kid"]
+      if kid.nil?
+        raise TokenVerificationError.new("Unauthorized: No KID found in token")
+      end
+
+      issuer = unverifiedPayload[0]["iss"]
+      if issuer.nil?
+        raise TokenVerificationError.new("Unauthorized: No Issuer in token")
+      end
+
+      if (URI(issuer).host != URI(completeIssuerUrl).host)
+        raise TokenVerificationError.new("Unauthorized: Issuer does not match")
+      end
+
+      # Handle service client checking
+      issuerPath = URI(issuer).path
+      clientIdMatcher = /^\/v\d\/clients\/([^\/]+)$/.match(issuerPath)
+      if clientIdMatcher && clientIdMatcher[1] != unverifiedPayload[0]['sub']
+        raise TokenVerificationError.new("Unauthorized: Service ID does not match token sub claim")
+      end
+
+      jwkObject = get_public_key("#{issuer}/.well-known/openid-configuration/jwks", kid)
+      jwk = jwkObject.verify_key()
+
+      begin
+        # https://github.com/jwt/ruby-jwt?tab=readme-ov-file
+        decodedResult = JWT.decode(authenticationToken, jwk, true, { algorithm: 'EdDSA' })
+        return decodedResult[0]
+      rescue Exception => e
+        raise TokenVerificationError.new("Unauthorized: Token is invalid - #{e}")
+      end
+    end
+
+    def get_public_key(jwkKeyListUrl, kid)
+      hashKey = "#{jwkKeyListUrl}|#{kid}"
+
+      if @key_map[hashKey].nil?
+        @key_map[hashKey] = get_key_uncached(jwkKeyListUrl, kid)
+      end
+
+      begin
+        key = @key_map[hashKey]
+        return key
+      rescue
+        @key_map[hashKey] = get_key_uncached(jwkKeyListUrl, kid)
+        return @key_map[hashKey]
+      end
     end
+
+    def get_key_uncached(jwkKeyListUrl, kid)
+      response = Typhoeus::Request.new(jwkKeyListUrl.to_s, { :method => :get, :ssl_verifypeer => true, :ssl_verifyhost => 2, :verbose => false }).run
+      unless response.success?
+        raise TokenVerificationError.new("Unauthorized: Failed to fetch jwks from: #{jwkKeyListUrl}")
+      end
+
+      jwks = JWT::JWK::Set.new(JSON.parse(response.body))
+
+      key = jwks.find{|key| key[:kid] == kid }
+      if key
+        return key
+      end
+
+      raise TokenVerificationError.new("Unauthorized: KID was not found in the list of valid JWKs: #{kid}")
+    end
+
+    class TokenVerificationError < StandardError
+      attr_reader :error_reason
+      def initialize(msg)
+        @error_reason = msg
+        super(msg)
+      end
+    end
+
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authress-sdk
 version: !ruby/object:Gem::Version
-  version: 2.0.40.0
+  version: 2.0.43.0
 platform: ruby
 authors:
 - Authress
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-24 00:00:00.000000000 Z
+date: 2024-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -60,6 +60,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -73,7 +87,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: oauth2
+  name: rbnacl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="