RubyGems - epb-auth-tools - Versions diffs - 1.0.1 - Mend

epb-auth-tools 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 782e5a8d8575cc614987e76c1475c6e3bb21126a5f1d69d35534151d9812a861
+  data.tar.gz: 3cb5ed246374496bc8170503bc77c0557c80cb7b6d8f44e57c09548555b9ef6b
+SHA512:
+  metadata.gz: dc06e83c6313dccbae073da2adbc20d694279b7a99ae7e4232b4dad54ca9fa07411e6bc78cfa9c23a3de78ec8285df89da31d7b3c585eafc5312bc44fe7ef85e
+  data.tar.gz: e9899d2035a1955efb170ad2379207d9b3fdd69126f8f7a2d5655719cdb712a163987756332c7172e84234f2cde1c59957b82f210659ebb3d741aea640e1718a

data/lib/epb_auth_tools.rb ADDED Viewed

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+module Auth
+  require_relative 'errors'
+  require_relative 'http_client'
+  require_relative 'token'
+  require_relative 'token_processor'
+  require_relative 'sinatra/conditional'
+end

data/lib/errors.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+module Auth
+  module Errors
+    class Error < RuntimeError; end
+    class Processor < Auth::Errors::Error; end
+    class ProcessorHasNoSecret < Auth::Errors::Error; end
+    class ProcessorHasNoIssuer < Auth::Errors::Error; end
+    class Token < Auth::Errors::Error; end
+    class TokenMissing < Auth::Errors::Token; end
+    class TokenPayloadError < Auth::Errors::Token; end
+    class TokenExpired < Auth::Errors::TokenPayloadError; end
+    class TokenNotYetValid < Auth::Errors::TokenPayloadError; end
+    class TokenHasNoIssuer < Auth::Errors::TokenPayloadError; end
+    class TokenHasNoSubject < Auth::Errors::TokenPayloadError; end
+    class TokenHasNoIssuedAt < Auth::Errors::TokenPayloadError; end
+    class TokenHasNoExpiry < Auth::Errors::TokenPayloadError; end
+    class TokenIssuerIncorrect < Auth::Errors::TokenPayloadError; end
+    class TokenDecodeError < Auth::Errors::Token; end
+    class TokenTamperDetected < Auth::Errors::TokenDecodeError; end
+    class Client < Auth::Errors::Error; end
+    class ClientHasNoAuthServer < Auth::Errors::Client; end
+    class ClientHasNoClientId < Auth::Errors::Client; end
+    class ClientHasNoClientSecret < Auth::Errors::Client; end
+    class ClientHasNoBaseUri < Auth::Errors::Client; end
+    class Network < Auth::Errors::Error; end
+    class NetworkConnectionFailed < Auth::Errors::Network; end
+  end
+end

data/lib/http_client.rb ADDED Viewed

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+require 'oauth2'
+module Auth
+  class HttpClient
+    attr_reader :authenticated_client
+    def initialize(
+      client_id = nil,
+      client_secret = nil,
+      auth_server = nil,
+      base_uri = nil,
+      auth_client = OAuth2::Client
+    )
+      raise Auth::Errors::ClientHasNoClientId if client_id.nil?
+      raise Auth::Errors::ClientHasNoClientSecret if client_secret.nil?
+      raise Auth::Errors::ClientHasNoAuthServer if auth_server.nil?
+      raise Auth::Errors::ClientHasNoBaseUri if base_uri.nil?
+      @authenticated_client = nil
+      site_url = URI.parse(auth_server)
+      token_url = site_url.path + '/oauth/token'
+      authorisation_url = site_url.path + '/oauth/token'
+      site_url = "#{site_url.scheme}://#{site_url.host}:#{site_url.port}"
+      @base_uri = base_uri
+      @client =
+        auth_client.new client_id,
+                        client_secret,
+                        site: site_url,
+                        token_url: token_url,
+                        authorisation_url: authorisation_url,
+                        raise_errors: false
+    end
+    def refresh
+      @authenticated_client = @client.client_credentials.get_token
+    end
+    def refresh?
+      @authenticated_client.nil? || @authenticated_client.expired?
+    end
+    def self.delegate(*methods)
+      methods.each do |method_name|
+        define_method(method_name) do |*args, &block|
+          request method_name, *args, &block
+        end
+      end
+    end
+    delegate :get, :post, :put
+    def request(method_name, *args, &block)
+      refresh? && refresh
+      args[0] = @base_uri + args[0]
+      if @authenticated_client.respond_to? method_name
+        response = @authenticated_client.send method_name, *args, &block
+        if response.body.is_a?(::Hash) &&
+             response.body[:error] == 'Auth::Errors::TokenExpired'
+          refresh
+          response = @authenticated_client.send method_name, *args, &block
+        end
+        response
+      end
+    rescue Faraday::ConnectionFailed
+      raise Auth::Errors::NetworkConnectionFailed
+    end
+  end
+end

data/lib/sinatra/conditional.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module Auth
+  module Sinatra
+    class Conditional
+      def self.process_request(env)
+        jwt_token = env.fetch('HTTP_AUTHORIZATION', '').slice(7..-1)
+        processor =
+          Auth::TokenProcessor.new ENV['JWT_SECRET'], ENV['JWT_ISSUER']
+        processor.process jwt_token
+      end
+    end
+  end
+end

data/lib/token.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+module Auth
+  class Token
+    def initialize(payload)
+      @payload = JSON.parse payload.to_json
+      validate_payload
+    end
+    def scope?(scope)
+      @payload['scopes'].include? scope
+    end
+    def scopes?(scopes)
+      scopes.all? { |scope| @payload['scopes'].include? scope }
+    end
+    def supplemental(property = nil)
+      unless property.nil? || @payload['sup'][property].nil?
+        return @payload['sup'][property]
+      end
+      @payload['sup']
+    end
+    def encode(jwt_secret)
+      JWT.encode @payload, jwt_secret, 'HS256'
+    end
+    private
+    def validate_payload
+      raise Auth::Errors::TokenHasNoIssuer unless @payload.key?('iss')
+      raise Auth::Errors::TokenHasNoIssuedAt unless @payload.key?('iat')
+      unless @payload['iat'] <= Time.now.to_i
+        raise Auth::Errors::TokenNotYetValid
+      end
+      raise Auth::Errors::TokenHasNoSubject unless @payload.key?('sub')
+    end
+  end
+end

data/lib/token_processor.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+require 'jwt'
+module Auth
+  class TokenProcessor
+    def initialize(jwt_secret = nil, jwt_issuer = nil)
+      raise Auth::Errors::ProcessorHasNoSecret if jwt_secret.nil?
+      raise Auth::Errors::ProcessorHasNoIssuer if jwt_issuer.nil?
+      @jwt_secret = jwt_secret
+      @jwt_issuer = jwt_issuer
+    end
+    def process(token = nil)
+      raise Auth::Errors::TokenMissing if token.nil?
+      payload, _header = jwt_process token
+      raise Auth::Errors::TokenHasNoIssuer unless payload.key?('iss')
+      unless payload['iss'] == @jwt_issuer
+        raise Auth::Errors::TokenIssuerIncorrect
+      end
+      Auth::Token.new payload
+    end
+    private
+    def jwt_process(token)
+      options = { algorithm: 'HS256', iss: @jwt_issuer }
+      JWT.decode token, @jwt_secret, true, options
+    rescue JWT::ExpiredSignature
+      raise Auth::Errors::TokenExpired
+    rescue JWT::VerificationError
+      raise Auth::Errors::TokenTamperDetected
+    rescue JWT::DecodeError
+      raise Auth::Errors::TokenDecodeError
+    end
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: epb-auth-tools
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Lawrence Goldstien <lawrence.goldstien@madetech.com>
+- Yusuf Sheikh <yusuf@madetech.com>
+- Jaseera <jaseera@madetech.com>
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-03-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description:
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/epb_auth_tools.rb
+- lib/errors.rb
+- lib/http_client.rb
+- lib/sinatra/conditional.rb
+- lib/token.rb
+- lib/token_processor.rb
+homepage: https://github.com/communitiesuk/epb-auth-tools
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key:
+specification_version: 4
+summary: Tools for authentication and authorisation with JWTs and OAuth
+test_files: []