conjur-rack 1.4.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 90340dd3a8dbc2f410a43b66ef10d010e76a9ffd
-  data.tar.gz: 9cc5f13b006ac102df5a28b65da08e7f3a7ef6dd
+  metadata.gz: 0ee85c177c59da73e229825170b3b8c34230e4e1
+  data.tar.gz: 7758e75373c0ccdfcb61539a33325795d5394600
 SHA512:
-  metadata.gz: 9223bfe5621080f8b9dba63e2de5593e2f6e44d2ad34d3beb60c8447a0ff8340eae3d1530420975052cfcbe6d26a66e2bbc5c8a1737f0019a2ee437c0fe458a3
-  data.tar.gz: 58042ba2ee61e535da72b1395ab7f48e1a873d8fba78fdc0ac1ab1a01a15b3dda63e7ba78fe83a550876c180238fbe5d38917d50f5c0485cf8dba1f42bfdbb67
+  metadata.gz: ccec8cadd0827fbf5b298f57fa78aa32a7792a58d985c0ff54ee05b80c256e55c0a9c868a1432be4908d7314c9becefdcf812ed95aad28ec756e989ad250def2
+  data.tar.gz: 36e507e1714480f2c5e4f5ff9d3af63cca883f855fc2259e272c3ce45420dadc36e0cd64cbe926f6396d0d3793968f802df147950ac0db86c7b69bba3abd0b8d

data/CHANGELOG.md

@@ -1,3 +1,28 @@
+# v3.1.0
+
+* Support for JWT Slosilo tokens.
+
+# v3.0.0.pre
+
+* Initial support for Conjur 5.
+
+# v2.3.0
+
+* Add TRUSTED_PROXIES support
+
+# v2.2.0
+
+* resolve 'own' token to CONJUR_ACCOUNT env var
+* add #optional paths to Conjur::Rack authenticator
+
+# v2.1.0
+
+* Add handling for `Conjur-Audit-Roles` and `Conjur-Audit-Resources`
+
+# v2.0.0
+
+* Change `global_sudo?` to `global_elevate?`
+
 # v1.4.0
 
 * Add `validated_global_privilege` helper function to get the global privilege, if any, which has been submitted with the request and verified by the Conjur server.

data/Gemfile

@@ -1,6 +1,12 @@
 source 'https://rubygems.org'
 
+# make sure github uses TLS
+git_source(:github) { |name| "https://github.com/#{name}.git" }
+
+#ruby=ruby-2.3.4
+#ruby-gemset=conjur-rack
+
 # Specify your gem's dependencies in conjur-rack.gemspec
 gemspec
 
-gem 'conjur-api', github: 'conjurinc/api-ruby', branch: 'master'
+# gem 'conjur-api', github: 'cyberark/conjur-api-ruby', branch: 'master'

data/conjur-rack.gemspec

@@ -18,12 +18,15 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "slosilo"
-  spec.add_dependency "conjur-api", ">= 4.17"
-  spec.add_dependency "rack"
+  spec.add_dependency "slosilo", "~> 2.1"
+  spec.add_dependency "conjur-api", "< 6"
+  spec.add_dependency "rack", '~> 1'
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", ">=2.9", "<3.0"
+  spec.add_development_dependency "rspec"
   spec.add_development_dependency 'ci_reporter_rspec'
+  spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'rspec-its'
+
 end

data/jenkins.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+TEST_IMAGE='ruby:2.3.4'
+
+rm -f Gemfile.lock
+
+docker run --rm \
+  -v "$PWD:/usr/src/app" \
+  -w /usr/src/app \
+  -e CONJUR_ENV=ci \
+  $TEST_IMAGE \
+  bash -c "bundle update && bundle exec rake spec"

data/lib/conjur/rack.rb

@@ -1,3 +1,26 @@
 require "conjur/rack/version"
 require "conjur/rack/authenticator"
 require "conjur/rack/path_prefix"
+require 'ipaddr'
+require 'set'
+
+module TrustedProxies
+  
+  def trusted_proxy?(ip)
+    trusted_proxies ? trusted_proxies.any? { |cidr| cidr.include?(ip) } : super
+  end
+  
+  def trusted_proxies
+    @trusted_proxies || ENV['TRUSTED_PROXIES'].try do |proxies|
+      cidrs = Set.new(proxies.split(',') + ['127.0.0.1'])
+      @trusted_proxies = cidrs.collect {|cidr| IPAddr.new(cidr) }
+    end
+  end
+  
+end
+
+module Rack
+  class Request
+    prepend TrustedProxies
+  end
+end

data/lib/conjur/rack/authenticator.rb

@@ -2,36 +2,51 @@ require "conjur/rack/user"
 
 module Conjur
   module Rack
-    def self.identity?
-      !Thread.current[:conjur_rack_identity].nil?
-    end
-    
-    def self.user
-      User.new(identity[0], identity[1], privilege, remote_ip)
-    end
-    
-    def self.identity
-      Thread.current[:conjur_rack_identity] or raise "No Conjur identity for current request"
-    end
-    
-    def self.privilege
-      Thread.current[:conjur_rack_privilege]
-    end
-    
-    def self.remote_ip
-      Thread.current[:conjur_rack_remote_ip]
+
+    class << self
+      def conjur_rack
+        Thread.current[:conjur_rack] ||= {}
+      end
+
+      def identity?
+        !conjur_rack[:identity].nil?
+      end
+      
+      def user
+        User.new(identity[0], identity[1], 
+          :privilege => privilege, 
+          :remote_ip => remote_ip, 
+          :audit_roles => audit_roles, 
+          :audit_resources => audit_resources
+          )
+      end
+      
+      def identity
+        conjur_rack[:identity] or raise "No Conjur identity for current request"
+      end
+
+      # class attributes
+      [:privilege, :remote_ip, :audit_roles, :audit_resources].each do |a|
+        define_method(a) do
+          conjur_rack[a]
+        end
+      end
     end
+
   
     class Authenticator
       class AuthorizationError < SecurityError
       end
       class SignatureError < SecurityError
       end
+      class Forbidden < SecurityError
+      end
       
       attr_reader :app, :options
       
       # +options+:
-      # :except :: a list of request path patterns for which to skip authentication
+      # :except :: a list of request path patterns for which to skip authentication.
+      # :optional :: request path patterns for which authentication is optional.
       def initialize app, options = {}
         @app = app
         @options = options
@@ -39,10 +54,13 @@ module Conjur
 
       # threadsafe accessors, values are established explicitly below
       def env; Thread.current[:rack_env] ; end
-      def token; Thread.current[:conjur_rack_token] ; end
-      def account; Thread.current[:conjur_rack_account]; end
-      def privilege; Thread.current[:conjur_rack_privilege]; end
-      def remote_ip; Thread.current[:conjur_rack_remote_ip]; end
+
+      # instance attributes
+      [:token, :account, :privilege, :remote_ip, :audit_roles, :audit_resources].each do |a|
+        define_method(a) do
+          conjur_rack[a]
+        end
+      end
  
       def call rackenv
         # never store request-specific variables as application attributes 
@@ -50,13 +68,19 @@ module Conjur
         if authenticate?
           begin
             identity = verify_authorization_and_get_identity # [token, account]
-             
-            Thread.current[:conjur_rack_token] = identity[0]
-            Thread.current[:conjur_rack_account] = identity[1]
-            Thread.current[:conjur_rack_identity] = identity
-            Thread.current[:conjur_rack_privilege] = conjur_privilege
-            Thread.current[:conjur_rack_remote_ip] = remote_ip
+            
+            if identity
+              conjur_rack[:token] = identity[0]
+              conjur_rack[:account] = identity[1]
+              conjur_rack[:identity] = identity
+              conjur_rack[:privilege] = http_privilege
+              conjur_rack[:remote_ip] = http_remote_ip
+              conjur_rack[:audit_roles] = http_audit_roles
+              conjur_rack[:audit_resources] = http_audit_resources
+            end
 
+          rescue Forbidden
+            return error 403, $!.message
           rescue SecurityError, RestClient::Exception
             return error 401, $!.message
           end
@@ -65,61 +89,108 @@ module Conjur
           @app.call rackenv
         ensure
           Thread.current[:rack_env] = nil
-          Thread.current[:conjur_rack_identity] = nil
-          Thread.current[:conjur_rack_token] = nil
-          Thread.current[:conjur_rack_account] = nil
-          Thread.current[:conjur_rack_privilege] = nil
-          Thread.current[:conjur_rack_remote_ip] = nil
+          Thread.current[:conjur_rack] = {}
         end
       end
       
       protected
       
+      def conjur_rack
+        Conjur::Rack.conjur_rack
+      end
+
       def validate_token_and_get_account token
-        failure = SignatureError.new("Unathorized: Invalid token")
+        failure = SignatureError.new("Unauthorized: Invalid token")
         raise failure unless (signer = Slosilo.token_signer token)
-        raise failure unless signer =~ /\Aauthn:(.+)\z/
-        return $1
+        if signer == 'own'
+          ENV['CONJUR_ACCOUNT'] or raise failure
+        else
+          raise failure unless signer =~ /\Aauthn:(.+)\z/
+          $1
+        end
       end
       
       def error status, message
         [status, { 'Content-Type' => 'text/plain', 'Content-Length' => message.length.to_s }, [message] ]
       end
+
+      def parsed_token
+        token = http_authorization.to_s[/^Token token="(.*)"/, 1]
+        token = token && JSON.parse(Base64.decode64(token))
+        token = Slosilo::JWT token rescue token
+      rescue JSON::ParserError
+        raise AuthorizationError.new("Malformed authorization token")
+      end
       
+      RECOGNIZED_CLAIMS = [
+        'iat', 'exp', # recognized by Slosilo
+        'cidr', 'sub',
+        'iss', 'aud', 'jti' # RFC 7519, not handled but recognized
+      ].freeze
+
       def verify_authorization_and_get_identity
-        if authorization.to_s[/^Token token="(.*)"/]
-          token = JSON.parse(Base64.decode64($1))
-          account = validate_token_and_get_account(token)
-          return [token, account]
+        if token = parsed_token
+          begin
+            account = validate_token_and_get_account token
+            if token.respond_to?(:claims)
+              claims = token.claims
+              raise AuthorizationError, "token contains unrecognized claims" unless \
+                  (claims.keys.map(&:to_s) - RECOGNIZED_CLAIMS).empty?
+              if (cidr = claims['cidr'])
+                raise Forbidden, "IP address rejected" unless \
+                    cidr.map(&IPAddr.method(:new)).any? { |c| c.include? http_remote_ip }
+              end
+            end
+            return [token, account]
+          end
         else
-          raise AuthorizationError.new("Authorization missing")
+          path = http_path
+          if optional_paths.find{|p| p.match(path)}.nil?
+            raise AuthorizationError.new("Authorization missing")
+          else
+            nil
+          end
         end
       end
       
       def authenticate?
+        path = http_path
         if options[:except]
           options[:except].find{|p| p.match(path)}.nil?
         else
           true
         end
       end
-
-      def conjur_privilege
-        env['HTTP_X_CONJUR_PRIVILEGE']
-      end
       
-      def authorization
+      def optional_paths
+        options[:optional] || []
+      end
+
+      def http_authorization
         env['HTTP_AUTHORIZATION']
       end
-      
-      def remote_ip
+
+      def http_privilege
+        env['HTTP_X_CONJUR_PRIVILEGE']
+      end
+
+      def http_remote_ip
         require 'rack/request'
         ::Rack::Request.new(env).ip
       end
-      
-      def path
+
+      def http_audit_roles
+        env['HTTP_CONJUR_AUDIT_ROLES']
+      end
+
+      def http_audit_resources
+        env['HTTP_CONJUR_AUDIT_RESOURCES']
+      end
+
+      def http_path
         [ env['SCRIPT_NAME'], env['PATH_INFO'] ].join
       end
+
     end
   end
 end

data/lib/conjur/rack/user.rb

@@ -2,25 +2,32 @@ require 'conjur/api'
 
 module Conjur
   module Rack
+    # Token data can be a string (which is the user login), or a Hash.
+    # If it's a hash, it should contain the user login keyed by the string 'login'.
+    # The rest of the payload is available as +attributes+.
     class User
-      attr_accessor :token, :account, :privilege, :remote_ip
+      attr_reader :token, :account, :privilege, :remote_ip, :audit_roles, :audit_resources
       
-      def initialize(token, account, privilege = nil, remote_ip = nil)
+      def initialize(token, account, options = {})
         @token = token
         @account = account
-        @privilege = privilege
-        @remote_ip = remote_ip
+        # Third argument used to be the name of privilege, be
+        # backwards compatible:
+        if options.respond_to?(:to_str)
+          @privilege = options
+        else
+          @privilege = options[:privilege]
+          @remote_ip = options[:remote_ip]
+          @audit_roles = options[:audit_roles]
+          @audit_resources = options[:audit_resources]
+        end
       end
       
       # This file was accidently calling account conjur_account,
       # I'm adding an alias in case that's going on anywhere else.
       # -- Jon
       alias :conjur_account :account
-      alias :conjur_account= :account=
-      
-      def new_association(cls, params = {})
-        cls.new params.merge({userid: login})
-      end
+      # alias :conjur_account= :account=
       
       # Returns the global privilege which was present on the request, if and only
       # if the user actually has that privilege.
@@ -41,13 +48,21 @@ module Conjur
         validated_global_privilege == "reveal"
       end
       
-      # True if and only if the user has valid global 'sudo' privilege.
-      def global_sudo?
-        validated_global_privilege == "sudo"
+      # True if and only if the user has valid global 'elevate' privilege.
+      def global_elevate?
+        validated_global_privilege == "elevate"
       end
       
       def login
-        token["data"] or raise "No data field in token"
+        parse_token
+
+        @login
+      end
+
+      def attributes
+        parse_token
+
+        @attributes || {}
       end
       
       def roleid
@@ -63,17 +78,56 @@ module Conjur
       def role
         api.role(roleid)
       end
-      
+
+      def audit_resources
+        Conjur::API.decode_audit_ids(@audit_resources) if @audit_resources
+      end
+
+      def audit_roles
+        Conjur::API.decode_audit_ids(@audit_roles) if @audit_roles
+      end
+
       def api(cls = Conjur::API)
         args = [ token ]
         args.push remote_ip if remote_ip
         api = cls.new_from_token(*args)
-        if privilege
-          api.with_privilege(privilege)
+        api = api.with_privilege(privilege) if privilege
+        api = api.with_audit_resources(audit_resources) if audit_resources
+        api = api.with_audit_roles(audit_roles) if audit_roles
+
+        api
+      end
+
+      protected
+
+      def parse_token
+        return if @login
+
+        @token = Slosilo::JWT token
+        load_jwt token
+      rescue ArgumentError
+        if data = token['data']
+          return load_legacy data
         else
-          api
+          raise "malformed token"
         end
       end
+
+      def load_legacy data
+        if data.is_a?(String)
+          @login = token['data']
+        elsif data.is_a?(Hash)
+          @attributes = token['data'].clone
+          @login = @attributes.delete('login') or raise "No 'login' field in token data"
+        else
+          raise "Expecting String or Hash token data, got #{data.class.name}"
+        end
+      end
+
+      def load_jwt jwt
+        @attributes = jwt.claims.merge (jwt.header || {}) # just pass all the info
+        @login = jwt.claims['sub'] or raise "No 'sub' field in claims"
+      end
     end
   end
 end

data/lib/conjur/rack/version.rb

@@ -1,5 +1,5 @@
 module Conjur
   module Rack
-    VERSION = "1.4.0"
+    VERSION = "3.1.0"
   end
 end

data/spec/rack/authenticator_spec.rb

@@ -3,107 +3,179 @@ require 'spec_helper'
 require 'conjur/rack/authenticator'
 
 describe Conjur::Rack::Authenticator do
-  let(:app) { double(:app) }
-  let(:options) { {} }
-  let(:authenticator) { Conjur::Rack::Authenticator.new(app, options) }
-  let(:call) { authenticator.call env }
-  
-  context "#call" do
-    context "with Conjur authorization" do
-      before{ stub_const 'Slosilo', Module.new }
-      let(:env) {
-        {
-          'HTTP_AUTHORIZATION' => "Token token=\"#{basic_64}\""
-        }.tap do |e|
-          e['HTTP_X_CONJUR_PRIVILEGE'] = privilege if privilege
-          e['HTTP_X_FORWARDED_FOR'] = remote_ip if remote_ip
-        end
+  include_context "with authenticator"
+
+  describe "#call" do
+    context "to an unprotected path" do
+      let(:except) { [ /^\/foo/ ] }
+      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
+      before {
+        options[:except] = except
+        expect(app).to receive(:call).with(env).and_return app
       }
-      let(:basic_64) { Base64.strict_encode64(token.to_json) }
-      let(:token) { { "data" => "foobar" } }
-      let(:sample_account) { "someacc" }
-      let(:privilege) { nil }
-      let(:remote_ip) { nil }
-
-      context "of a valid token" do
-          
-        before(:each) {
-          Slosilo.stub token_signer: 'authn:'+sample_account
-        }
-
-        it 'launches app' do
-          app.should_receive(:call).with(env).and_return app
-          call.should == app
+      context "without authorization" do
+        it "proceeds" do
+          expect(call).to eq(app)
+          expect(Conjur::Rack.identity?).to be(false)
+        end
+      end
+      context "with authorization" do
+        include_context "with authorization"
+        it "ignores the authorization" do
+          expect(call).to eq(app)
+          expect(Conjur::Rack.identity?).to be(false)
         end
+      end
+    end
 
-        context 'Authable provides module method conjur_user' do
-          let(:stubuser) { "some value" }
-          before {
-            app.stub(:call) { Conjur::Rack.user }
-          }
-
-          context 'when called in app context' do
-            let(:invoke) {
-              Conjur::Rack::User.should_receive(:new).
-                with(token, sample_account, privilege, remote_ip).
-                and_return(stubuser)
-              Conjur::Rack.should_receive(:user).and_call_original
-              call
-            }
-            
-            shared_examples_for 'returns User built from token' do
-              specify { 
-                invoke.should == stubuser      
-              }
-            end
-            
-            it_should_behave_like 'returns User built from token'
-            
-            context 'with X-Conjur-Privilege' do
-              let(:privilege) { "sudo" }
-              it_should_behave_like 'returns User built from token'
+    context "to a protected path" do
+      let(:env) { { 'SCRIPT_NAME' => '/pathname' } }
+      context "without authorization" do
+        it "returns a 401 error" do
+          expect(call).to return_http 401, "Authorization missing"
+        end
+      end
+      context "with Conjur authorization" do
+        include_context "with authorization"
+
+        context "with CIDR restriction" do
+          let(:claims) { { 'sub' => 'test-user', 'cidr' => %w(192.168.2.0/24 2001:db8::/32) } }
+          let(:token) { Slosilo::JWT.new(claims) }
+          before do
+            allow(subject).to receive_messages \
+                parsed_token: token,
+                http_remote_ip: remote_ip
+          end
+
+          %w(10.0.0.2 fdda:5cc1:23:4::1f).each do |addr|
+            context "with address #{addr} out of range" do
+              let(:remote_ip) { addr }
+              it "returns 403" do
+                expect(call).to return_http 403, "IP address rejected"
+              end
             end
-            
-            context 'with X-Forwarded-For' do
-              let(:remote_ip) { "66.0.0.1" }
-              it_should_behave_like 'returns User built from token'
+          end
+
+          %w(192.168.2.3 2001:db8::22).each do |addr|
+            context "with address #{addr} in range" do
+              let(:remote_ip) { addr }
+              it "passes the request" do
+                expect(call.login).to eq 'test-user'
+              end
             end
           end
+        end
 
-          context 'called out of app context' do
-            it { lambda { Conjur::Rack.user }.should raise_error }
+        context "of a valid token" do
+          it 'launches app' do
+            expect(app).to receive(:call).with(env).and_return app
+            expect(call).to eq(app)
+          end
+        end
+        context "of an invalid token" do
+          it "returns a 401 error" do
+            allow(Slosilo).to receive(:token_signer).and_return(nil)
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
+          end
+        end
+        context "of a token invalid for authn" do
+          it "returns a 401 error" do
+            allow(Slosilo).to receive(:token_signer).and_return('a-totally-different-key')
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
+          end
+        end
+        context "of 'own' token" do
+          it "returns ENV['CONJUR_ACCOUNT']" do
+            expect(ENV).to receive(:[]).with("CONJUR_ACCOUNT").and_return("test-account")
+            expect(app).to receive(:call) do |*args|
+              expect(Conjur::Rack.identity?).to be(true)
+              expect(Conjur::Rack.user.account).to eq('test-account')
+              :done
+            end
+            allow(Slosilo).to receive(:token_signer).and_return('own')
+            expect(call).to eq(:done)
+          end
+          it "requires ENV['CONJUR_ACCOUNT']" do
+            expect(ENV).to receive(:[]).with("CONJUR_ACCOUNT").and_return(nil)
+            allow(Slosilo).to receive(:token_signer).and_return('own')
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
           end
         end
       end
-      context "of an invalid token" do
-        it "returns a 401 error" do
-          Slosilo.stub token_signer: nil
-          call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"26"}, ["Unathorized: Invalid token"]]
+
+      context "with junk in token" do
+        let(:env) { { 'HTTP_AUTHORIZATION' => 'Token token="open sesame"' } }
+        it "returns 401" do
+          expect(call).to return_http 401, "Malformed authorization token"
         end
       end
-      context "of a token invalid for authn" do
-        it "returns a 401 error" do
-          Slosilo.stub token_signer: 'a-totally-different-key'
-          call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"26"}, ["Unathorized: Invalid token"]]
+
+      context "with JSON junk in token" do
+        let(:env) { { 'HTTP_AUTHORIZATION' => 'Token token="eyJmb28iOiAiYmFyIn0="' } }
+        before do
+          allow(Slosilo).to receive(:token_signer).and_return(nil)
+        end
+
+        it "returns 401" do
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
         end
       end
     end
-  end
-  context "without authorization" do
-    context "to a protected path" do
-      let(:env) { { 'SCRIPT_NAME' => '/pathname' } }
-      it "returns a 401 error" do
-        call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"21"}, ["Authorization missing"]]
+    context "to an optional path" do
+      let(:optional) { [ /^\/foo/ ] }
+      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
+      before {
+        options[:optional] = optional
+      }
+      context "without authorization" do
+        it "proceeds" do
+          expect(app).to receive(:call) do |*args|
+            expect(Conjur::Rack.identity?).to be(false)
+            :done
+          end
+          expect(call).to eq(:done)
+        end
+      end
+      context "with authorization" do
+        include_context "with authorization"
+        it "processes the authorization" do
+          expect(app).to receive(:call) do |*args|
+            expect(Conjur::Rack.identity?).to be(true)
+            :done
+          end
+          expect(call).to eq(:done)
+        end
       end
     end
-    context "to an unprotected path" do
-      let(:except) { [ /^\/foo/ ] }
-      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
-      it "proceeds" do
-        options[:except] = except
-        app.should_receive(:call).with(env).and_return app
-        call.should == app
+
+    RSpec::Matchers.define :return_http do |status, message|
+      match do |actual|
+        status, headers, body = actual
+        expect(status).to eq status
+        expect(headers).to eq "Content-Type" => "text/plain", "Content-Length" => message.length.to_s
+        expect(body.join).to eq message
       end
     end
   end
+
+  # protected internal methods
+
+  describe '#verify_authorization_and_get_identity' do
+    it "accepts JWT tokens without CIDR restrictions" do
+      mock_jwt sub: 'user'
+      expect { subject.send :verify_authorization_and_get_identity }.to_not raise_error
+    end
+
+    it "rejects JWT tokens with unrecognized claims" do
+      mock_jwt extra: 'field'
+      expect { subject.send :verify_authorization_and_get_identity }.to raise_error \
+          Conjur::Rack::Authenticator::AuthorizationError
+    end
+
+    def mock_jwt claims
+      token = Slosilo::JWT.new(claims).add_signature(alg: 'none') {}
+      allow(subject).to receive(:parsed_token) { token }
+      allow(Slosilo).to receive(:token_signer).with(token).and_return 'authn:test'
+    end
+  end
 end

data/spec/rack/path_prefix_spec.rb

@@ -17,21 +17,21 @@ describe Conjur::Rack::PathPrefix do
     context "/api/hosts" do
       let(:path) { "/api/hosts" }
       it "matches" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
         call
       end
     end
     context "/api" do
       let(:path) { "/api" }
       it "doesn't erase the path completely" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/' }).and_return app
         call
       end
     end
     context "with non-matching prefix" do
       let(:path) { "/hosts" }
       it "doesn't match" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
         call
       end
     end

data/spec/rack/user_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'conjur/rack/user'
 
 describe Conjur::Rack::User do
   let(:login){ 'admin' }
@@ -6,41 +7,50 @@ describe Conjur::Rack::User do
   let(:account){ 'acct' }
   let(:privilege) { nil }
   let(:remote_ip) { nil }
+  let(:audit_roles) { nil }
+  let(:audit_resources) { nil }
   
-  subject{ described_class.new token, account, privilege, remote_ip }
+  subject(:user) { 
+    described_class.new(token, account, 
+      :privilege => privilege, 
+      :remote_ip => remote_ip, 
+      :audit_roles => audit_roles, 
+      :audit_resources => audit_resources 
+    )
+  }
   
-  its(:token){ should == token }
-  its(:account){ should == account }
-  its(:conjur_account){ should == account }
-  its(:login){ should == token['data'] }
-  
-  it "aliases setter for account to conjur_account" do
-    subject.conjur_account = "changed!"
-    subject.account.should == "changed!"
-  end
-  
-  describe '#new_assocation' do
-    let(:associate){ Class.new }
-    let(:params){{foo: 'bar'}}
-    it "calls cls.new with params including userid: login" do
-      associate.should_receive(:new).with(params.merge(userid: subject.login))
-      subject.new_association(associate, params)
-    end
+  it 'provides field accessors' do
+    expect(user.token).to eq token
+    expect(user.account).to eq account
+    expect(user.conjur_account).to eq account
+    expect(user.login).to eq login
   end
   
   describe '#roleid' do
     let(:login){ tokens.join('/') }
-    context "when login contains one token 'foobar'" do
-      let(:tokens){ ['foobar'] }
-      its(:roleid){ should == "#{account}:user:#{login}" } 
+
+    context "when login contains one token" do
+      let(:tokens) { %w(foobar) }
+
+      it "is expanded to account:user:token" do
+        expect(subject.roleid).to eq "#{account}:user:foobar"
+      end
     end
-    context "when login contains tokens ['foo', 'bar']" do
-      let(:tokens){ ["foos", "bar"] }
-      its(:roleid){ should == "#{account}:#{tokens[0]}:#{tokens[1]}"}
+
+    context "when login contains two tokens" do
+      let(:tokens) { %w(foo bar) }
+
+      it "is expanded to account:first:second" do
+        expect(subject.roleid).to eq "#{account}:foo:bar"
+      end
     end
-    context "when login contains tokens ['foo','bar','baz']" do
-      let(:tokens){ ['foo', 'bar', 'baz'] }
-      its(:roleid){ should == "#{account}:#{tokens[0]}:#{tokens[1]}/#{tokens[2]}" }
+
+    context "when login contains three tokens" do
+      let(:tokens) { %w(foo bar baz) }
+
+      it "is expanded to account:first:second/third" do
+        expect(subject.roleid).to eq "#{account}:foo:bar/baz"
+      end
     end
   end
   
@@ -48,13 +58,13 @@ describe Conjur::Rack::User do
     let(:roleid){ 'the role id' }
     let(:api){ double('conjur api') }
     before do
-      subject.stub(:roleid).and_return roleid
-      subject.stub(:api).and_return api
+      allow(subject).to receive(:roleid).and_return roleid
+      allow(subject).to receive(:api).and_return api
     end
     
     it 'passes roleid to api.role' do
-      api.should_receive(:role).with(roleid).and_return 'the role'
-      subject.role.should == 'the role'
+      expect(api).to receive(:role).with(roleid).and_return 'the role'
+      expect(subject.role).to eq('the role')
     end
   end
   
@@ -63,19 +73,19 @@ describe Conjur::Rack::User do
       let(:privilege) { "reveal" }
       let(:api){ Conjur::API.new_from_token "the-token" }
       before do
-        subject.stub(:api).and_return api
+        allow(subject).to receive(:api).and_return(api)
       end
       it "checks the API function global_privilege_permitted?" do
-        api.should_receive(:resource).with("!:!:conjur").and_return resource = double(:resource)
-        resource.should_receive(:permitted?).with("reveal").and_return true
-        expect(subject.global_reveal?).to be_true
+        expect(api).to receive(:resource).with("!:!:conjur").and_return(resource = double(:resource))
+        expect(resource).to receive(:permitted?).with("reveal").and_return(true)
+        expect(subject.global_reveal?).to be true
         # The result is cached
         subject.global_reveal?
       end
     end
     context "without a global privilege" do
       it "simply returns nil" do
-        expect(subject.global_reveal?).to be_false
+        expect(subject.global_reveal?).to be false
       end
     end
   end
@@ -84,38 +94,96 @@ describe Conjur::Rack::User do
     context "when given a class" do
       let(:cls){ double('API class') }
       it "calls cls.new_from_token with its token" do
-        cls.should_receive(:new_from_token).with(token).and_return 'the api'
-        subject.api(cls).should == 'the api'
+        expect(cls).to receive(:new_from_token).with(token).and_return 'the api'
+        expect(subject.api(cls)).to eq('the api')
       end
     end
     context 'when not given args' do
       shared_examples_for "builds the api" do
-        specify {
-          subject.api.should == 'the api'
-        }
+        its(:api) { should == 'the api' }
       end
       
       context "with no extra args" do
         before {
-          Conjur::API.should_receive(:new_from_token).with(token).and_return 'the api'
+          expect(Conjur::API).to receive(:new_from_token).with(token).and_return('the api')
         }
         it_should_behave_like "builds the api"
       end
       context "with remote_ip" do
         let(:remote_ip) { "the-ip" }
         before {
-          Conjur::API.should_receive(:new_from_token).with(token, 'the-ip').and_return 'the api'
+          expect(Conjur::API).to receive(:new_from_token).with(token, 'the-ip').and_return('the api')
         }
         it_should_behave_like "builds the api"
       end
       context "with privilege" do
-        let(:privilege) { "sudo" }
+        let(:privilege) { "elevate" }
+        before {
+          expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
+          expect(api).to receive(:with_privilege).with("elevate").and_return('the api')
+        }
+        it_should_behave_like "builds the api"
+      end
+
+      context "with audit resource" do
+        let (:audit_resources) {  'food:bacon' }
         before {
-          Conjur::API.should_receive(:new_from_token).with(token).and_return api = double(:api)
-          expect(api).to receive(:with_privilege).with("sudo").and_return('the api')
+          expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
+          expect(api).to receive(:with_audit_resources).with(['food:bacon']).and_return('the api')
         }
         it_should_behave_like "builds the api"
       end
+
+      context "with audit roles" do
+        let (:audit_roles) {  'user:cook' }
+        before {
+          expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
+          expect(api).to receive(:with_audit_roles).with(['user:cook']).and_return('the api')
+        }
+        it_should_behave_like "builds the api"
+      end
+
+    end
+  end
+
+  context "with invalid type payload" do
+    let(:token){ { "data" => :alice } }
+    it "raises an error on trying to access the content" do
+      expect{ subject.login }.to raise_error("Expecting String or Hash token data, got Symbol")
+    end
+  end
+
+  context "with hash payload" do
+    let(:token){ { "data" => { "login" => "alice", "capabilities" => { "fry" => "bacon" } } } }
+
+    it "processes the login and attributes" do
+      original_token = token.deep_dup
+
+      expect(subject.login).to eq('alice')
+      expect(subject.attributes).to eq({"capabilities" => { "fry" => "bacon" }})
+
+      expect(token).to eq original_token
+    end
+  end
+
+  context "with JWT token" do
+    let(:token) { {"protected"=>"eyJhbGciOiJ0ZXN0IiwidHlwIjoiSldUIn0=",
+ "payload"=>"eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNDU1NDI2NX0=",
+ "signature"=>"dGVzdHNpZw=="} }
+
+    it "processes the login and attributes" do
+      original_token = token.deep_dup
+
+      expect(subject.login).to eq('alice')
+
+      # TODO: should we only pass unrecognized attrs here?
+      expect(subject.attributes).to eq \
+          'alg' => 'test',
+          'iat' => 1504554265,
+          'sub' => 'alice',
+          'typ' => 'JWT'
+
+      expect(token).to eq original_token
     end
   end
-end
+end

data/spec/rack_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+require 'conjur/rack'
+
+describe Conjur::Rack do
+  describe '.user' do
+    include_context "with authorization"
+    let(:stubuser) { double :stubuser }
+    before do
+      allow(Conjur::Rack::User).to receive(:new)
+        .with(token, 'someacc', {:privilege => privilege, :remote_ip => remote_ip, :audit_roles => audit_roles, :audit_resources => audit_resources})
+        .and_return(stubuser)
+    end
+
+    context 'when called in app context' do
+      shared_examples_for :returns_user do
+        it "returns user built from token" do
+          expect(call).to eq stubuser
+        end
+      end
+
+      include_examples :returns_user
+
+      context 'with X-Conjur-Privilege' do
+        let(:privilege) { "elevate" }
+        include_examples :returns_user
+      end
+
+      context 'with X-Forwarded-For' do
+        let(:remote_ip) { "66.0.0.1" }
+        include_examples :returns_user
+      end
+
+      context 'with Conjur-Audit-Roles' do
+        let (:audit_roles) { 'user%3Acook' }
+        include_examples :returns_user
+      end
+
+      context 'with Conjur-Audit-Resources' do
+        let (:audit_resources) { 'food%3Abacon' }
+        include_examples :returns_user
+      end
+
+    end
+
+    it "raises error if called out of app context" do
+      expect { Conjur::Rack.user }.to raise_error('No Conjur identity for current request')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -4,8 +4,44 @@ $:.unshift File.join(File.dirname(__FILE__), "lib")
 
 # Allows loading of an environment config based on the environment
 require 'rspec'
+require 'rspec/its'
 require 'securerandom'
+require 'slosilo'
 
 RSpec.configure do |config|
 end
 
+RSpec.shared_context "with authenticator" do
+  let(:options) { {} }
+  let(:app) { double(:app) }
+  subject(:authenticator) { Conjur::Rack::Authenticator.new(app, options) }
+  let(:call) { authenticator.call env }
+end
+
+RSpec.shared_context "with authorization" do
+  include_context "with authenticator"
+  let(:token_signer) { "authn:someacc" }
+  let(:audit_resources) { nil }
+  let(:privilege) { nil }
+  let(:remote_ip) { nil }
+  let(:audit_roles) { nil }
+
+  before do
+    allow(app).to receive(:call) { Conjur::Rack.user }
+    allow(Slosilo).to receive(:token_signer).and_return(token_signer)
+  end
+
+  let(:env) do
+    {
+      'HTTP_AUTHORIZATION' => "Token token=\"#{basic_64}\""
+    }.tap do |e|
+      e['HTTP_X_CONJUR_PRIVILEGE'] = privilege if privilege
+      e['HTTP_X_FORWARDED_FOR'] = remote_ip if remote_ip
+      e['HTTP_CONJUR_AUDIT_ROLES'] = audit_roles if audit_roles
+      e['HTTP_CONJUR_AUDIT_RESOURCES'] = audit_resources if audit_resources
+    end
+  end
+
+  let(:basic_64) { Base64.strict_encode64(token.to_json) }
+  let(:token) { { "data" => "foobar" } }
+end

metadata

@@ -1,57 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: conjur-rack
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-20 00:00:00.000000000 Z
+date: 2017-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: slosilo
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: conjur-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.17'
+        version: '6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.17'
+        version: '6'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -86,22 +86,44 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
-    - - "<"
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ci_reporter_rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
-    - - "<"
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: ci_reporter_rspec
+  name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -123,13 +145,13 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".project"
-- ".rvmrc"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - conjur-rack.gemspec
+- jenkins.sh
 - lib/conjur/rack.rb
 - lib/conjur/rack/authenticator.rb
 - lib/conjur/rack/path_prefix.rb
@@ -138,6 +160,7 @@ files:
 - spec/rack/authenticator_spec.rb
 - spec/rack/path_prefix_spec.rb
 - spec/rack/user_spec.rb
+- spec/rack_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/conjurinc/conjur-rack
 licenses:
@@ -159,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: Rack authenticator and basic User struct
@@ -167,4 +190,5 @@ test_files:
 - spec/rack/authenticator_spec.rb
 - spec/rack/path_prefix_spec.rb
 - spec/rack/user_spec.rb
+- spec/rack_spec.rb
 - spec/spec_helper.rb

data/.rvmrc

@@ -1 +0,0 @@
-rvm use --create 2.0.0@conjur-rack