RubyGems - authress-sdk - Versions diffs - 2.0.41.0 → 2.0.43.0 - Mend

authress-sdk 2.0.41.0 → 2.0.43.0

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/authress-sdk/authress_client.rb +11 -0
data/lib/authress-sdk/omniauth.rb +1 -1
data/lib/authress-sdk/service_client_token_provider.rb +77 -4
data/lib/authress-sdk/token_validator.rb +105 -5
metadata +17 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f455223c994f32796ba78600e80315534d15e06b1aeef0012738159eb0a995fc
-  data.tar.gz: 478cfab70f9202188d0723db8a20579731733661e9672a3f048dfaf9c4d385fb
+  metadata.gz: 8d32ad65dcb072b5d8a7365e5859fc3342ae2425945380781707650a19f9926c
+  data.tar.gz: f81db7d0bc6e7fd9c5d1217f6cd87d02a3ce8dffd8e8e69e0ae95109ab33944c
 SHA512:
-  metadata.gz: 218b7773c304ad04d04de5a81a9688b3e91273b0a72ea2441dbcca268406c5d528b473d022fa3352e5d74d67889a4997b356479b8af189c9988d2faa19a0758f
-  data.tar.gz: 5187f86eee213a864314303ef2345d690e81f48cad3774d295d69e681cb52054f1c0504de0270f9eb1871b27fb1efd98159e7aaf47c2503ad3ee2faeb1b3d888
+  metadata.gz: 26e8f74c75866011ca9462cf00388401a1d7e402925013e588aaed065cebd8ff6662ce5fe95ce9d98dcdc4d69693e711a862566b1b4c04120b30ab31700b8c62
+  data.tar.gz: e7aacd4c91af4346b2c3ae79687335e5394fa811d2ceca575ddd531f9789dc9dddfffe2162cce941e1a4025b1228047247130141a3bb26930387f8325040a16f

data/README.md CHANGED Viewed

@@ -78,7 +78,7 @@ end
 # on api route
 [route('/resources/<resourceId>')]
-def getResource(resourceId) {
+def getResource(resourceId)
   # Check Authress to authorize the user
   user_identity = AuthressSdk::AuthressClient.verify_token(request.headers.get('authorization'))
@@ -86,6 +86,7 @@ def getResource(resourceId) {
   user_id = user_identity.sub
   resource_uri = "resources/#{resourceId}" # String | The uri path of a resource to validate, must be URL encoded, uri segments are allowed, the resource must be a full path, and permissions are not inherited by sub-resources.
   permission = 'READ' # String | Permission to check, '*' and scoped permissions can also be checked here.
   begin
     # Check to see if a user has permissions to a resource.
     api_instance = AuthressSdk::UserPermissionsApi.new

data/lib/authress-sdk/authress_client.rb CHANGED Viewed

@@ -20,6 +20,9 @@ module AuthressSdk
     # Token Provider
     attr_accessor :token_provider
+    # The Token verifier
+    attr_accessor :token_verifier
     # Initializes the AuthressClient
     def initialize()
       @config = {
@@ -29,6 +32,7 @@ module AuthressSdk
       }
       @token_provider = ConstantTokenProvider.new(nil)
+      @token_verifier = TokenVerifier.new()
     end
     def self.default
@@ -297,5 +301,12 @@ module AuthressSdk
         obj
       end
     end
+    # Verify a JWT token
+    # @param [String] The JWT token
+    # @return [Object] Returns a Map of user identity properties
+    def verify_token(token)
+      @token_verifier.verify_token(custom_domain_url, token)
+    end
   end
 end

data/lib/authress-sdk/omniauth.rb CHANGED Viewed

@@ -146,7 +146,7 @@ module OmniAuth
             env['omniauth.auth'] = auth_hash
             call_app!
           end
-        rescue AuthressSdk::TokenValidationError => e
+        rescue AuthressSdk::TokenVerificationError => e
           fail!(:token_validation_error, e)
         rescue ::OAuth2::Error, CallbackError => e
           fail!(:invalid_credentials, e)

data/lib/authress-sdk/service_client_token_provider.rb CHANGED Viewed

@@ -1,17 +1,90 @@
-require 'date'
+require 'time'
 require 'json'
 require 'logger'
 require 'uri'
 module AuthressSdk
   class ServiceClientTokenProvider
-    def initialize(client_access_key)
+    def initialize(client_access_key, custom_domain_url = nil)
+      @custom_domain_url = custom_domain_url
       @client_access_key = client_access_key
+      @cachedKeyData = nil
+    end
+    def sanitizeUrl(url)
+      if url.nil?
+        return nil
+      end
+      if (url.match(/^http/))
+        return url
+      end
+      if (url.match(/^localhost/))
+        return "http://#{url}"
+      end
+      return "https://#{url}"
+    end
+    def get_issuer(unsanitizedAuthressCustomDomain, decodedAccessKey)
+      authressCustomDomain = sanitizeUrl(@custom_domain_url).gsub(/\/+$/, '')
+      return "#{authressCustomDomain}/v1/clients/#{decodedAccessKey.clientId}"
     end
     def get_token()
-      # TODO: This should use the JWT creation strategy and not the client api token one
-      @client_access_key
+      if @cachedKeyData && @cachedKeyData.token && Time.now().to_i() + 3600 < @cachedKeyData.expiresAtInSeconds
+        return @cachedKeyData.token
+      end
+      accountId = @client_access_key.split('.')[2];
+      decodedAccessKeyHash = {
+        clientId: @client_access_key.split('.')[0],
+        keyId: @client_access_key.split('.')[1],
+        audience: "#{accountId}.accounts.authress.io",
+        privateKey: @client_access_key.split('.')[3]
+      }
+      decodedAccessKey = Struct.new(*decodedAccessKeyHash.keys).new(*decodedAccessKeyHash.values)
+      now = Time.now().to_i()
+      jwt = {
+        aud: decodedAccessKey.audience,
+        iss: get_issuer(@custom_domain_url || "#{accountId}.api.authress.io", decodedAccessKey),
+        sub: decodedAccessKey.clientId,
+        client_id: decodedAccessKey.clientId,
+        iat: now,
+        # valid for 24 hours
+        exp: now + 60 * 60 * 24,
+        scope: 'openid'
+      }
+      if decodedAccessKey.privateKey.nil?
+        raise Exception("Invalid Service Client Access Key")
+      end
+      return decodedAccessKey.privateKey
+      # The Ed25519 module is broken right now and doesn't accept valid private keys.
+      # private_key = RbNaCl::Signatures::Ed25519::SigningKey.new(Base64.decode64(decodedAccessKey.privateKey)[0, 32])
+      # token = JWT.encode(jwt, private_key, 'ED25519', { typ: 'at+jwt', alg: 'EdDSA', kid: decodedAccessKey.keyId })
+      # @cachedKeyData = { token: token, expires: jwt['exp'] }
+      # return token
     end
   end
 end
+module JWTExtensions
+  # Fixed because https://github.com/jwt/ruby-jwt/issues/334 is still broken
+  def encode_header
+    # https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/encode.rb#L17
+    @headers["alg"] = @headers["alg"].downcase == "ed25519" ? "EdDSA" : @headers["alg"]
+    super
+  end
+end
+module JWT
+  class Encode
+    prepend JWTExtensions
+  end
+end

data/lib/authress-sdk/token_validator.rb CHANGED Viewed

@@ -1,13 +1,113 @@
 require 'base64'
 require 'uri'
 require 'json'
+require 'jwt'
 module AuthressSdk
-  class TokenValidationError < StandardError
-    attr_reader :error_reason
-    def initialize(msg)
-      @error_reason = msg
-      super(msg)
+  class TokenVerifier
+    attr_accessor :key_map
+    def initialize()
+      @key_map = {}
+    end
+    def verify_token(authressCustomDomain, token)
+      sanitized_domain = authressCustomDomain.gsub(/https?:\/\//, '')
+      completeIssuerUrl = "https://#{sanitized_domain}"
+      if token.nil?
+        raise TokenVerificationError.new("Unauthorized: No token specified")
+      end
+      begin
+        authenticationToken = token
+        unverifiedPayload = JWT.decode(authenticationToken, nil, false)
+      rescue JWT::DecodeError
+        begin
+          serviceClient = AuthressSdk::ServiceClientTokenProvider.new(token, completeIssuerUrl)
+          authenticationToken = serviceClient.get_token()
+          unverifiedPayload = JWT.decode(authenticationToken, nil, false)
+        rescue Exception => e
+          raise TokenVerificationError.new("Unauthorized: Invalid Token format: #{e}")
+        end
+      end
+      if unverifiedPayload.nil?
+        raise TokenVerificationError.new("Unauthorized: Invalid Token or Token not found")
+      end
+      kid = unverifiedPayload[1]["kid"]
+      if kid.nil?
+        raise TokenVerificationError.new("Unauthorized: No KID found in token")
+      end
+      issuer = unverifiedPayload[0]["iss"]
+      if issuer.nil?
+        raise TokenVerificationError.new("Unauthorized: No Issuer in token")
+      end
+      if (URI(issuer).host != URI(completeIssuerUrl).host)
+        raise TokenVerificationError.new("Unauthorized: Issuer does not match")
+      end
+      # Handle service client checking
+      issuerPath = URI(issuer).path
+      clientIdMatcher = /^\/v\d\/clients\/([^\/]+)$/.match(issuerPath)
+      if clientIdMatcher && clientIdMatcher[1] != unverifiedPayload[0]['sub']
+        raise TokenVerificationError.new("Unauthorized: Service ID does not match token sub claim")
+      end
+      jwkObject = get_public_key("#{issuer}/.well-known/openid-configuration/jwks", kid)
+      jwk = jwkObject.verify_key()
+      begin
+        # https://github.com/jwt/ruby-jwt?tab=readme-ov-file
+        decodedResult = JWT.decode(authenticationToken, jwk, true, { algorithm: 'EdDSA' })
+        return decodedResult[0]
+      rescue Exception => e
+        raise TokenVerificationError.new("Unauthorized: Token is invalid - #{e}")
+      end
+    end
+    def get_public_key(jwkKeyListUrl, kid)
+      hashKey = "#{jwkKeyListUrl}|#{kid}"
+      if @key_map[hashKey].nil?
+        @key_map[hashKey] = get_key_uncached(jwkKeyListUrl, kid)
+      end
+      begin
+        key = @key_map[hashKey]
+        return key
+      rescue
+        @key_map[hashKey] = get_key_uncached(jwkKeyListUrl, kid)
+        return @key_map[hashKey]
+      end
     end
+    def get_key_uncached(jwkKeyListUrl, kid)
+      response = Typhoeus::Request.new(jwkKeyListUrl.to_s, { :method => :get, :ssl_verifypeer => true, :ssl_verifyhost => 2, :verbose => false }).run
+      unless response.success?
+        raise TokenVerificationError.new("Unauthorized: Failed to fetch jwks from: #{jwkKeyListUrl}")
+      end
+      jwks = JWT::JWK::Set.new(JSON.parse(response.body))
+      key = jwks.find{|key| key[:kid] == kid }
+      if key
+        return key
+      end
+      raise TokenVerificationError.new("Unauthorized: KID was not found in the list of valid JWKs: #{kid}")
+    end
+    class TokenVerificationError < StandardError
+      attr_reader :error_reason
+      def initialize(msg)
+        @error_reason = msg
+        super(msg)
+      end
+    end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authress-sdk
 version: !ruby/object:Gem::Version
-  version: 2.0.41.0
+  version: 2.0.43.0
 platform: ruby
 authors:
 - Authress
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-21 00:00:00.000000000 Z
+date: 2024-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -60,6 +60,20 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -73,7 +87,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: oauth2
+  name: rbnacl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="