epb-auth-tools 1.0.4 → 1.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/epb-auth-tools.rb +5 -5
- data/lib/errors.rb +61 -23
- data/lib/http_client.rb +6 -6
- data/lib/sinatra/conditional.rb +2 -2
- data/lib/token.rb +14 -14
- data/lib/token_processor.rb +6 -8
- metadata +14 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 51ff1680c92485230dcdd83f6d87a7346f7cd74e1f4d4df5cc556df606b39e60
|
|
4
|
+
data.tar.gz: c1179b6b77dfcf84f70f962c3a82229f1bbdc08dede87c232441d52eee6eed02
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: afeedf14c33ef8d100f06afdcea24fc5825b327c1723044517b46739f255924d48dd51d545f024c409fac97b63647a206c8912a7cccaddae9464414b9457df56
|
|
7
|
+
data.tar.gz: 0f65a346cf7aeec3ca38a032e6daa26261283ab7451781231beae77ce966870b96e6661d38182800c8bdc0e2cd469de7528a8118058aeafa77d107711f0e0547
|
data/lib/epb-auth-tools.rb
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
module Auth
|
|
4
|
-
require_relative
|
|
5
|
-
require_relative
|
|
6
|
-
require_relative
|
|
7
|
-
require_relative
|
|
4
|
+
require_relative "errors"
|
|
5
|
+
require_relative "http_client"
|
|
6
|
+
require_relative "token"
|
|
7
|
+
require_relative "token_processor"
|
|
8
8
|
|
|
9
|
-
require_relative
|
|
9
|
+
require_relative "sinatra/conditional"
|
|
10
10
|
end
|
data/lib/errors.rb
CHANGED
|
@@ -2,35 +2,73 @@
|
|
|
2
2
|
|
|
3
3
|
module Auth
|
|
4
4
|
module Errors
|
|
5
|
-
class Error < RuntimeError
|
|
5
|
+
class Error < RuntimeError
|
|
6
|
+
end
|
|
6
7
|
|
|
7
|
-
class Processor < Auth::Errors::Error
|
|
8
|
-
|
|
9
|
-
class ProcessorHasNoIssuer < Auth::Errors::Error; end
|
|
8
|
+
class Processor < Auth::Errors::Error
|
|
9
|
+
end
|
|
10
10
|
|
|
11
|
-
class
|
|
11
|
+
class ProcessorHasNoSecret < Auth::Errors::Error
|
|
12
|
+
end
|
|
12
13
|
|
|
13
|
-
class
|
|
14
|
-
|
|
15
|
-
class TokenExpired < Auth::Errors::TokenPayloadError; end
|
|
16
|
-
class TokenNotYetValid < Auth::Errors::TokenPayloadError; end
|
|
17
|
-
class TokenHasNoIssuer < Auth::Errors::TokenPayloadError; end
|
|
18
|
-
class TokenHasNoSubject < Auth::Errors::TokenPayloadError; end
|
|
19
|
-
class TokenHasNoIssuedAt < Auth::Errors::TokenPayloadError; end
|
|
20
|
-
class TokenHasNoExpiry < Auth::Errors::TokenPayloadError; end
|
|
21
|
-
class TokenIssuerIncorrect < Auth::Errors::TokenPayloadError; end
|
|
14
|
+
class ProcessorHasNoIssuer < Auth::Errors::Error
|
|
15
|
+
end
|
|
22
16
|
|
|
23
|
-
class
|
|
24
|
-
|
|
17
|
+
class Token < Auth::Errors::Error
|
|
18
|
+
end
|
|
25
19
|
|
|
26
|
-
class
|
|
20
|
+
class TokenMissing < Auth::Errors::Token
|
|
21
|
+
end
|
|
27
22
|
|
|
28
|
-
class
|
|
29
|
-
|
|
30
|
-
class ClientHasNoClientSecret < Auth::Errors::Client; end
|
|
31
|
-
class ClientHasNoBaseUri < Auth::Errors::Client; end
|
|
23
|
+
class TokenPayloadError < Auth::Errors::Token
|
|
24
|
+
end
|
|
32
25
|
|
|
33
|
-
class
|
|
34
|
-
|
|
26
|
+
class TokenExpired < Auth::Errors::TokenPayloadError
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
class TokenNotYetValid < Auth::Errors::TokenPayloadError
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
class TokenHasNoIssuer < Auth::Errors::TokenPayloadError
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
class TokenHasNoSubject < Auth::Errors::TokenPayloadError
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
class TokenHasNoIssuedAt < Auth::Errors::TokenPayloadError
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
class TokenHasNoExpiry < Auth::Errors::TokenPayloadError
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
class TokenIssuerIncorrect < Auth::Errors::TokenPayloadError
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
class TokenDecodeError < Auth::Errors::Token
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
class TokenTamperDetected < Auth::Errors::TokenDecodeError
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
class Client < Auth::Errors::Error
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
class ClientHasNoAuthServer < Auth::Errors::Client
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
class ClientHasNoClientId < Auth::Errors::Client
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
class ClientHasNoClientSecret < Auth::Errors::Client
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
class ClientHasNoBaseUri < Auth::Errors::Client
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
class Network < Auth::Errors::Error
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
class NetworkConnectionFailed < Auth::Errors::Network
|
|
72
|
+
end
|
|
35
73
|
end
|
|
36
74
|
end
|
data/lib/http_client.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require
|
|
3
|
+
require "oauth2"
|
|
4
4
|
|
|
5
5
|
module Auth
|
|
6
6
|
class HttpClient
|
|
@@ -21,11 +21,10 @@ module Auth
|
|
|
21
21
|
@authenticated_client = nil
|
|
22
22
|
|
|
23
23
|
site_url = URI.parse(auth_server)
|
|
24
|
-
token_url = site_url.path
|
|
25
|
-
authorisation_url = site_url.path
|
|
24
|
+
token_url = "#{site_url.path}/oauth/token"
|
|
25
|
+
authorisation_url = "#{site_url.path}/oauth/token"
|
|
26
26
|
site_url = "#{site_url.scheme}://#{site_url.host}:#{site_url.port}"
|
|
27
27
|
|
|
28
|
-
|
|
29
28
|
@base_uri = base_uri
|
|
30
29
|
@client =
|
|
31
30
|
auth_client.new client_id,
|
|
@@ -61,8 +60,9 @@ module Auth
|
|
|
61
60
|
|
|
62
61
|
if @authenticated_client.respond_to? method_name
|
|
63
62
|
response = @authenticated_client.send method_name, *args, &block
|
|
64
|
-
if response.
|
|
65
|
-
|
|
63
|
+
if response.status == 401
|
|
64
|
+
# a 401 here is assumed to be due to an expired token
|
|
65
|
+
# otherwise, refreshing the token and calling again should make no difference to the ultimate response
|
|
66
66
|
refresh
|
|
67
67
|
response = @authenticated_client.send method_name, *args, &block
|
|
68
68
|
end
|
data/lib/sinatra/conditional.rb
CHANGED
|
@@ -4,9 +4,9 @@ module Auth
|
|
|
4
4
|
module Sinatra
|
|
5
5
|
class Conditional
|
|
6
6
|
def self.process_request(env)
|
|
7
|
-
jwt_token = env.fetch(
|
|
7
|
+
jwt_token = env.fetch("HTTP_AUTHORIZATION", "").slice(7..-1)
|
|
8
8
|
processor =
|
|
9
|
-
Auth::TokenProcessor.new ENV[
|
|
9
|
+
Auth::TokenProcessor.new ENV["JWT_SECRET"], ENV["JWT_ISSUER"]
|
|
10
10
|
processor.process jwt_token
|
|
11
11
|
end
|
|
12
12
|
end
|
data/lib/token.rb
CHANGED
|
@@ -7,35 +7,35 @@ module Auth
|
|
|
7
7
|
validate_payload
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
def sub
|
|
11
|
+
@payload["sub"]
|
|
12
|
+
end
|
|
13
|
+
|
|
10
14
|
def scope?(scope)
|
|
11
|
-
@payload[
|
|
15
|
+
@payload["scopes"]&.include? scope
|
|
12
16
|
end
|
|
13
17
|
|
|
14
18
|
def scopes?(scopes)
|
|
15
|
-
scopes.all? { |scope| @payload[
|
|
19
|
+
scopes.all? { |scope| @payload["scopes"]&.include? scope }
|
|
16
20
|
end
|
|
17
21
|
|
|
18
22
|
def supplemental(property = nil)
|
|
19
|
-
unless property.nil? || @payload[
|
|
20
|
-
return @payload['sup'][property]
|
|
21
|
-
end
|
|
23
|
+
return @payload["sup"][property] unless property.nil? || @payload["sup"][property].nil?
|
|
22
24
|
|
|
23
|
-
@payload[
|
|
25
|
+
@payload["sup"]
|
|
24
26
|
end
|
|
25
27
|
|
|
26
28
|
def encode(jwt_secret)
|
|
27
|
-
JWT.encode @payload, jwt_secret,
|
|
29
|
+
JWT.encode @payload, jwt_secret, "HS256"
|
|
28
30
|
end
|
|
29
31
|
|
|
30
|
-
|
|
32
|
+
private
|
|
31
33
|
|
|
32
34
|
def validate_payload
|
|
33
|
-
raise Auth::Errors::TokenHasNoIssuer unless @payload.key?(
|
|
34
|
-
raise Auth::Errors::TokenHasNoIssuedAt unless @payload.key?(
|
|
35
|
-
unless @payload[
|
|
36
|
-
|
|
37
|
-
end
|
|
38
|
-
raise Auth::Errors::TokenHasNoSubject unless @payload.key?('sub')
|
|
35
|
+
raise Auth::Errors::TokenHasNoIssuer unless @payload.key?("iss")
|
|
36
|
+
raise Auth::Errors::TokenHasNoIssuedAt unless @payload.key?("iat")
|
|
37
|
+
raise Auth::Errors::TokenNotYetValid unless @payload["iat"] <= Time.now.to_i
|
|
38
|
+
raise Auth::Errors::TokenHasNoSubject unless @payload.key?("sub")
|
|
39
39
|
end
|
|
40
40
|
end
|
|
41
41
|
end
|
data/lib/token_processor.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require
|
|
3
|
+
require "jwt"
|
|
4
4
|
|
|
5
5
|
module Auth
|
|
6
6
|
class TokenProcessor
|
|
@@ -17,19 +17,17 @@ module Auth
|
|
|
17
17
|
|
|
18
18
|
payload, _header = jwt_process token
|
|
19
19
|
|
|
20
|
-
raise Auth::Errors::TokenExpired unless payload.key?(
|
|
21
|
-
raise Auth::Errors::TokenHasNoIssuer unless payload.key?(
|
|
22
|
-
unless payload[
|
|
23
|
-
raise Auth::Errors::TokenIssuerIncorrect
|
|
24
|
-
end
|
|
20
|
+
raise Auth::Errors::TokenExpired unless payload.key?("exp")
|
|
21
|
+
raise Auth::Errors::TokenHasNoIssuer unless payload.key?("iss")
|
|
22
|
+
raise Auth::Errors::TokenIssuerIncorrect unless payload["iss"] == @jwt_issuer
|
|
25
23
|
|
|
26
24
|
Auth::Token.new payload
|
|
27
25
|
end
|
|
28
26
|
|
|
29
|
-
|
|
27
|
+
private
|
|
30
28
|
|
|
31
29
|
def jwt_process(token)
|
|
32
|
-
options = { algorithm:
|
|
30
|
+
options = { algorithm: "HS256", iss: @jwt_issuer }
|
|
33
31
|
|
|
34
32
|
JWT.decode token, @jwt_secret, true, options
|
|
35
33
|
rescue JWT::ExpiredSignature
|
metadata
CHANGED
|
@@ -1,16 +1,19 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: epb-auth-tools
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lawrence Goldstien <lawrence.goldstien@madetech.com>
|
|
8
8
|
- Yusuf Sheikh <yusuf@madetech.com>
|
|
9
9
|
- Jaseera <jaseera@madetech.com>
|
|
10
|
-
|
|
10
|
+
- Kevin Keenoy <kevin.keenoy@levellingup.gov.uk>
|
|
11
|
+
- Douglas Greenshields <douglas.greenshields@levellingup.gov.uk>
|
|
12
|
+
- Aga Dufrat <aga.dufrat@levellingup.gov.uk>
|
|
13
|
+
autorequire:
|
|
11
14
|
bindir: bin
|
|
12
15
|
cert_chain: []
|
|
13
|
-
date:
|
|
16
|
+
date: 2021-06-23 00:00:00.000000000 Z
|
|
14
17
|
dependencies:
|
|
15
18
|
- !ruby/object:Gem::Dependency
|
|
16
19
|
name: jwt
|
|
@@ -18,14 +21,14 @@ dependencies:
|
|
|
18
21
|
requirements:
|
|
19
22
|
- - "~>"
|
|
20
23
|
- !ruby/object:Gem::Version
|
|
21
|
-
version: '2.
|
|
24
|
+
version: '2.3'
|
|
22
25
|
type: :runtime
|
|
23
26
|
prerelease: false
|
|
24
27
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
28
|
requirements:
|
|
26
29
|
- - "~>"
|
|
27
30
|
- !ruby/object:Gem::Version
|
|
28
|
-
version: '2.
|
|
31
|
+
version: '2.3'
|
|
29
32
|
- !ruby/object:Gem::Dependency
|
|
30
33
|
name: oauth2
|
|
31
34
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -40,8 +43,8 @@ dependencies:
|
|
|
40
43
|
- - "~>"
|
|
41
44
|
- !ruby/object:Gem::Version
|
|
42
45
|
version: '1.4'
|
|
43
|
-
description:
|
|
44
|
-
email:
|
|
46
|
+
description:
|
|
47
|
+
email:
|
|
45
48
|
executables: []
|
|
46
49
|
extensions: []
|
|
47
50
|
extra_rdoc_files: []
|
|
@@ -56,7 +59,7 @@ homepage: https://github.com/communitiesuk/epb-auth-tools
|
|
|
56
59
|
licenses:
|
|
57
60
|
- MIT
|
|
58
61
|
metadata: {}
|
|
59
|
-
post_install_message:
|
|
62
|
+
post_install_message:
|
|
60
63
|
rdoc_options: []
|
|
61
64
|
require_paths:
|
|
62
65
|
- lib
|
|
@@ -64,15 +67,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
64
67
|
requirements:
|
|
65
68
|
- - ">="
|
|
66
69
|
- !ruby/object:Gem::Version
|
|
67
|
-
version:
|
|
70
|
+
version: 2.7.0
|
|
68
71
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
69
72
|
requirements:
|
|
70
73
|
- - ">="
|
|
71
74
|
- !ruby/object:Gem::Version
|
|
72
75
|
version: '0'
|
|
73
76
|
requirements: []
|
|
74
|
-
rubygems_version: 3.
|
|
75
|
-
signing_key:
|
|
77
|
+
rubygems_version: 3.1.6
|
|
78
|
+
signing_key:
|
|
76
79
|
specification_version: 4
|
|
77
80
|
summary: Tools for authentication and authorisation with JWTs and OAuth
|
|
78
81
|
test_files: []
|