azure_jwt_auth 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f26367508cac71e2138946eca9d96411ada1093c7ca9b6ce88366ca27799c108
+  data.tar.gz: edd4ae435720cbc4d8d5438ce447fdbefd18071530afa84c60b21c7d799558fc
+SHA512:
+  metadata.gz: dd67132ec694be2951a296f4bfdc3c7b393389e17cb188a0dc738ab2d1da2333346e770ac6c0164f68113ae10f506916236b05e5f1dc53da4f531a65f4b670a7
+  data.tar.gz: e47ac0cbe7aaabacb6df6293dfbdc7d7beaf33b150ed3b9f5211dcc0624503541a407699a610b500530ecbea6480d26a6fb066bbe0c3472d91bc7c1ca080c5f5

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 rjurado
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,171 @@
+# AzureJwtAuth
+![Build Status](https://travis-ci.org/nosolosoftware/azure_jwt_auth.svg?branch=master)
+
+Easy way for Ruby applications to authenticate to Azure B2C/AD in order to access protected web resources.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'azure_jwt_auth'
+```
+
+And then execute:
+
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+
+```bash
+$ gem install azure_jwt_auth
+```
+
+## Usage with Rails
+
+First of all, we add our providers into an initializer:
+
+```ruby
+# config/initializers/azure.rb
+
+require 'azure_jwt_auth/jwt_manager'
+
+AzureJwtAuth::JwtManager.load_provider(
+  :b2c,
+  'https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration')
+)
+
+AzureJwtAuth::JwtManager.load_provider(
+  :ad,
+  'https://sts.windows.net/.../v2.0/.well-known/openid-configuration'
+)
+...
+```
+
+Then, we add `Authenticable` module into `ApplicationController` and define `entity_from_token_payload` method.  
+This method is used by `Authenticable` module to load `current_user`.
+
+```ruby
+require 'azure_jwt_auth/authenticable'
+
+class ApplicationController < ActionController::API
+  include AzureJwtAuth::Authenticable
+
+  rescue_from AzureJwtAuth::NotAuthorized, with: :render_401
+
+  private
+
+  def render_401
+    render json: {}, status: 401
+  end
+
+  def entity_from_token_payload(payload)
+    # Returns a valid entity, `nil` or raise
+    # e.g.
+    #   User.find payload['sub']
+  end
+end
+```
+
+Finally, we can use `authenticate!` method into ours controllers:
+
+```ruby
+class ExampleController < ApplicationController
+  before_action :authenticate!
+
+  ...
+end
+```
+
+## Providers
+
+Provider class initializer receives the following parameters:
+
+| parameter   | description |
+| --          | --          |
+| uid         | unique provider identifier |
+| config_url  | azure url to get config |
+| validations | payload fields validations which will be checked for each token: `{payload_field: value_expected, ...}` (optional) |
+
+We create providers using the `AzureJwtAuth::JwtManager.load_provider` method:
+
+```ruby
+AzureJwtAuth::JwtManager.load_provider(
+  :b2c, # uid
+  'https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration'), # config_url
+  {'aud' => 'my_app_id'} # validations
+)
+```
+
+## Authenticable
+
+[This module](lib/azure_jwt_auth/authenticable.rb) provides us with the following methods:
+
+* __authenticate!__
+
+  Check if a token is valid for any provider and loads `current_user`. Otherwise it throws an exception.
+
+  If you need other behavior you can define your custom authenticate! method like this:
+
+  ```ruby
+  def my_authenticate!
+    begin
+      token = JwtManager.new(request, :privider_id)
+      unauthorize! unless token.valid?
+    rescue
+      unauthorize!
+    end
+
+    @current_user = User.find(token.payload['sub'])
+  end
+  ```
+
+* __current_user__
+
+  Returns current_user loaded by `authenticate!` method.
+
+* __signed_in?__
+
+  Check if exists current_user.
+
+* __unauthorize!__
+
+  Throws a `AzureJwtAuth::NotAuthorized` exception.
+
+## Testing (rspec)
+
+Require the [AzureJwtAuth::Spec::Helpers](lib/azure_jwt_auth/spec/helpers.rb) helper module in `rails_helper.rb`.
+
+```ruby
+  require 'azure_jwt_auth/spec/helpers'
+  ...
+  RSpec.configure do |config|
+    ...
+    config.include AzureJwtAuth::Spec::Helpers, :type => :controller
+  end
+```
+
+And then we can just call `sign_in(user)`:
+
+```ruby
+  describe ExampleController
+    let(:user) { MyEntity.create(...) }
+
+    it "blocks unauthenticated access" do
+      get :index
+      expect(response).to have_http_status(401)
+    end
+
+    it "allows authenticated access" do
+      sign_in user # user will be returned by current_user method
+      get :index
+      expect(response).to have_http_status(200)
+    end
+  end
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/azure_jwt_auth.rb

@@ -0,0 +1,8 @@
+require 'bcrypt'
+
+module AzureJwtAuth
+  KidNotFound = Class.new(StandardError)
+  InvalidProviderConfig = Class.new(StandardError)
+  NotAuthorizationHeader = Class.new(StandardError)
+  ProviderNotFound = Class.new(StandardError)
+end

data/lib/azure_jwt_auth/authenticable.rb

@@ -0,0 +1,36 @@
+require 'azure_jwt_auth/jwt_manager'
+
+module AzureJwtAuth
+  AzureJwtAuth::NotAuthorized = Class.new(StandardError)
+
+  module Authenticable
+    def current_user
+      @current_user
+    end
+
+    def signed_in?
+      !current_user.nil?
+    end
+
+    def authenticate!
+      unauthorize! unless JwtManager.providers
+
+      JwtManager.providers.each do |_uid, provider|
+        token = JwtManager.new(request, provider.uid)
+
+        if token.valid?
+          @current_user = entity_from_token_payload(token.payload)
+          break
+        end
+      rescue => error
+        Rails.logger.info(error) if defined? Rails
+      end
+
+      unauthorize! unless @current_user
+    end
+
+    def unauthorize!
+      raise NotAuthorized
+    end
+  end
+end

data/lib/azure_jwt_auth/jwt_manager.rb

@@ -0,0 +1,73 @@
+require 'azure_jwt_auth/provider'
+require 'jwt'
+
+module AzureJwtAuth
+  class JwtManager
+    class << self
+      attr_reader :providers
+
+      def load_provider(uid, config_uri, validations={})
+        @providers ||= {}
+        @providers[uid] = Provider.new(uid, config_uri, validations)
+      end
+
+      def find_provider(uid)
+        return unless @providers
+        @providers[uid]
+      end
+    end
+
+    def initialize(request, provider_id)
+      raise NotAuthorizationHeader unless request.env['HTTP_AUTHORIZATION']
+      raise ProviderNotFound unless (@provider = self.class.find_provider(provider_id))
+
+      @jwt = request.env['HTTP_AUTHORIZATION'].split.last # remove Bearer
+      @jwt_info = decode
+    end
+
+    def payload
+      @jwt_info ? @jwt_info.first : nil
+    end
+
+    # Validates the payload hash for expiration and meta claims
+    def valid?
+      payload && iss_valid? && custom_valid?
+    end
+
+    # Check custom validations defined into provider
+    def custom_valid?
+      @provider.validations.each do |key, value|
+        return false unless payload[key] == value
+      end
+
+      true
+    end
+
+    # Validates issuer
+    def iss_valid?
+      payload['iss'] == @provider.config['issuer']
+    end
+
+    private
+
+    # Decodes the JWT with the signed secret
+    def decode
+      dirty_token = JWT.decode(@jwt, nil, false)
+      kid = dirty_token.last['kid']
+      try = false
+
+      begin
+        rsa = @provider.keys[kid]
+        raise KidNotFound, 'kid not found into provider keys' unless rsa
+
+        JWT.decode(@jwt, rsa.public_key, true, algorithm: 'RS256')
+      rescue JWT::VerificationError, KidNotFound
+        raise if try
+
+        @provider.load_keys # maybe keys have been changed
+        try = true
+        retry
+      end
+    end
+  end
+end

data/lib/azure_jwt_auth/provider.rb

@@ -0,0 +1,36 @@
+require 'net/http'
+require 'rsa_pem'
+
+module AzureJwtAuth
+  class Provider
+    attr_reader :uid, :config_uri, :validations
+    attr_reader :config, :keys
+
+    def initialize(uid, config_uri, validations={})
+      @uid = uid
+      @config_uri = config_uri
+      @validations = validations
+
+      begin
+        @config = JSON.parse(Net::HTTP.get(URI(config_uri)))
+      rescue JSON::ParserError
+        raise InvalidProviderConfig, "config_uri response is not valid for provider: #{uid}"
+      end
+
+      load_keys
+    end
+
+    def load_keys
+      uri = URI(@config['jwks_uri'])
+      keys = JSON.parse(Net::HTTP.get(uri))['keys']
+
+      @keys = {}
+      keys.each do |key|
+        cert = RsaPem.from(key['n'], key['e'])
+        rsa = OpenSSL::PKey::RSA.new(cert)
+
+        @keys[key['kid']] = rsa
+      end
+    end
+  end
+end

data/lib/azure_jwt_auth/spec/helpers.rb

@@ -0,0 +1,12 @@
+module AzureJwtAuth
+  module Spec
+    module Helpers
+      require 'azure_jwt_auth/jwt_manager'
+
+      def sign_in(user)
+        allow(controller).to receive(:authenticate!).and_return(true)
+        allow(controller).to receive(:current_user).and_return(user)
+      end
+    end
+  end
+end

data/lib/azure_jwt_auth/spec/not_authorized.rb

@@ -0,0 +1,6 @@
+module AzureJwtAuth
+  module Spec
+    class NotAuthorized < StandardError
+    end
+  end
+end

data/lib/azure_jwt_auth/version.rb

@@ -0,0 +1,3 @@
+module AzureJwtAuth
+  VERSION = '0.1.1'
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: azure_jwt_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- rjurado
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-04-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rsa-pem-from-mod-exp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+description: Easy way for Ruby applications to authenticate to Azure B2C/AD in order
+  to access protected web resources.
+email:
+- rjurado@nosolosoftware.es
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/azure_jwt_auth.rb
+- lib/azure_jwt_auth/authenticable.rb
+- lib/azure_jwt_auth/jwt_manager.rb
+- lib/azure_jwt_auth/provider.rb
+- lib/azure_jwt_auth/spec/helpers.rb
+- lib/azure_jwt_auth/spec/not_authorized.rb
+- lib/azure_jwt_auth/version.rb
+homepage: https://github.com/nosolosoftware/azure_jwt_auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: Azure B2C/AD authentication using Ruby.
+test_files: []