jwt-bouncer 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9d0c3be8cdfa58b6baa7ec47c8df5f3a5efc823e
+  data.tar.gz: ebd73773ea8d3feb01635c12a4baa43817e07589
+SHA512:
+  metadata.gz: 1fec43fdf1bbf19cebe162727c8ab454ce6f6c1dbc529489f55f11df0da5876f508ead002f1f4ad104bb2fb8806e1b1c75330af45c7ece6259f581d33759f108
+  data.tar.gz: 05af534ca792ae6a2e26621f002b31b4697152671f0edc713d99342dad52426d999edfbee4e9909b6040b91c9c6cd1ed387cd0e099845ab8e31d44255c3461c5

data/.gitignore

@@ -0,0 +1,9 @@
+# Ignore bundler config.
+/.bundle
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+
+# Ignore annoying Mac files
+**.DS_Store

data/Dockerfile

@@ -0,0 +1,23 @@
+FROM ruby:2.4-slim
+LABEL maintainer "ryan@ryantownsend.co.uk"
+
+# Install basic packages
+RUN apt-get update -qq && apt-get install -y --no-install-recommends \
+  build-essential \
+  curl \
+  git
+
+# Configure the main working directory
+ENV app /app
+RUN mkdir $app
+WORKDIR $app
+
+# Set the where to install gems
+ENV GEM_HOME /rubygems
+ENV BUNDLE_PATH /rubygems
+
+# Link the whole application up
+ADD . $app
+
+# Ensure our gems are installed when running commands
+ENTRYPOINT bin/docker/entrypoint $0 $@

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in jwt-bouncer.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,59 @@
+PATH
+  remote: .
+  specs:
+    jwt-bouncer (0.1.0)
+      jwt (~> 1.5, >= 1.5.6)
+      rack (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    coderay (1.1.1)
+    concurrent-ruby (1.0.4)
+    diff-lcs (1.3)
+    i18n (0.8.1)
+    jwt (1.5.6)
+    method_source (0.8.2)
+    minitest (5.10.1)
+    pry (0.10.4)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    rack (2.0.1)
+    rake (10.5.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    slop (3.6.0)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (~> 5.0, >= 5.0.1)
+  bundler (~> 1.14)
+  jwt-bouncer!
+  pry (~> 0.10)
+  rake (~> 10.0)
+  rspec (~> 3.5)
+
+BUNDLED WITH
+   1.14.3

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Shift Commerce Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,63 @@
+[![JWT Compatible](https://jwt.io/assets/badge-compatible.svg)](https://jwt.io/)
+
+JwtBouncer is an abstraction for JWT-based authentication/authorisation.
+
+### Usage
+
+#### Parsing incoming requests
+
+JwtBouncer includes a request parser which accepts a standard Rack request object and provides automated decoding and verification of the JWT.
+
+You can then call various methods on this for authorisation. It's best demonstrated through an example:
+
+```ruby
+require 'jwt_bouncer/request'
+
+r = JwtBouncer::Request.new(request)
+
+# is the token valid
+r.authenticated?
+
+# checks whether permissions has this key and it's truthy
+r.can?(:update_product)
+
+# who is authenticated, returns a hash of data
+r.actor
+
+# access the raw permissions hash
+r.permissions
+```
+
+#### Signing outbound requests
+
+JwtBouncer isn't currently designed to provide extensive JWT signing, however it does provide a small service object for signing outbound requests. This can be useful for test suites where you may want to fake a JWT signed request.
+
+```ruby
+require 'jwt_bouncer/sign_request'
+
+# assuming you're using rspec-mocks here, but this could be a real request
+request = double(:request, headers: {})
+
+# some data to pass in
+shared_secret = 'leeroy'
+permissions = { update_product: true }
+actor = { type: 'user', id: 1, name: 'Jenkins' }
+
+# expiry is optional
+expiry = Time.now.to_i + 60
+
+# sign the request
+JwtBouncer::SignRequest.call request, shared_secret: shared_secret,
+                                      permissions: permissions,
+                                      actor: actor,
+                                      expiry: expiry
+
+# the request will now have the token in the header
+request.headers['Authorization'] # => "Bearer ..."
+```
+
+### Contributing
+
+Read the [development documentation](https://github.com/shiftcommerce/jwt-bouncer/blob/master/docs/development.md) to understand how to work on the library locally.
+
+We welcome pull requests.

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler/gem_tasks'
+task default: :spec

data/bin/bundle

@@ -0,0 +1,2 @@
+#!/bin/bash
+./bin/run bundle $@

data/bin/console

@@ -0,0 +1,2 @@
+#!/bin/bash
+./bin/run ./bin/docker/console

data/bin/docker/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'jwt/bouncer'
+require 'pry'
+
+Pry.start

data/bin/docker/entrypoint

@@ -0,0 +1,12 @@
+#!/bin/bash
+bundle check || {
+  echo "Installing gems..."
+  {
+    bundle install --jobs 4 --retry 5 --quiet && echo "Installed gems."
+  } || {
+    echo "Gem installation failed."
+    exit 1
+  }
+}
+
+exec "$@"

data/bin/docker/rake

@@ -0,0 +1,3 @@
+#!/usr/local/bin/ruby
+require 'rake'
+Rake.application.run

data/bin/rake

@@ -0,0 +1,2 @@
+#!/bin/bash
+./bin/run bundle exec rake $@

data/bin/rspec

@@ -0,0 +1,2 @@
+#!/bin/bash
+./bin/run bundle exec rspec $@

data/bin/run

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker-compose run --rm app $@

data/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '2'
+
+services:
+  app:
+    build: .
+    volumes:
+      - .:/app
+      - rubygems_cache:/rubygems
+    environment:
+      GEM_HOME: '/rubygems'
+      BUNDLE_PATH: '/rubygems'
+
+volumes:
+  rubygems_cache:

data/docs/development.md

@@ -0,0 +1,9 @@
+This library is setup using Docker and docker-compose, meaning you don't even need to have Ruby or any of the dependencies installed locally – you only need the [Docker Toolbox](https://www.docker.com/products/docker-toolbox).
+
+Once you have the toolbox installed and running, you can boot a Pry console with the library loaded by simply running `./bin/console`. docker-compose will take care of downloading and installing dependencies.
+
+For your common commands, you'll need to use the script equivalents in the `bin` folder, e.g. `./bin/bundle exec ...`, `./bin/rake -T` etc.
+
+Tests can be run simply by using `./bin/rspec`.
+
+If you need to run a custom command, you can use `./bin/run command here`, e.g. `./bin/run bash` will give you a bash console to the Docker instance.

data/jwt-bouncer.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'jwt_bouncer/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'jwt-bouncer'
+  spec.version       = JwtBouncer::VERSION
+  spec.authors       = ['Ryan Townsend']
+  spec.email         = ['ryan@ryantownsend.co.uk']
+
+  spec.summary       = 'jwt-bouncer is an abstraction for JWT-based authentication/authorisation'
+  spec.homepage      = 'https://github.com/ryantownsend/jwt-bouncer'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'pry', '~> 0.10'
+  spec.add_development_dependency 'rspec', '~> 3.5'
+  spec.add_development_dependency 'activesupport', '~> 5.0', '>= 5.0.1'
+  spec.add_dependency 'rack', '~> 2.0'
+  spec.add_dependency 'jwt', '~> 1.5', '>= 1.5.6'
+end

data/lib/jwt_bouncer.rb

@@ -0,0 +1,8 @@
+require 'jwt_bouncer/version'
+
+module JwtBouncer
+  autoload :Request,     'jwt_bouncer/request'
+  autoload :SignRequest, 'jwt_bouncer/sign_request'
+  autoload :Token,       'jwt_bouncer/token'
+  autoload :Permissions, 'jwt_bouncer/permissions'
+end

data/lib/jwt_bouncer/permissions.rb

@@ -0,0 +1,46 @@
+# frozen-string-literal: true
+
+require 'jwt'
+require 'zlib'
+
+module JwtBouncer
+  module Permissions
+    def self.compress(permissions)
+      stream = StringIO.new
+      zip = Zlib::GzipWriter.new(stream)
+      begin
+        zip.write(permissions.to_json)
+      ensure
+        zip.close
+      end
+
+      Base64.encode64(stream.string)
+    end
+
+    def self.decompress(permissions)
+      unzipped_stream = StringIO.new
+      StringIO.open(Base64.decode64(permissions)) do |stream|
+        unzip = Zlib::GzipReader.new(stream)
+        begin
+          unzipped_stream.write(unzip.read)
+        ensure
+          unzip.close
+        end
+      end
+
+      JSON.parse(unzipped_stream.string)
+    end
+
+    def self.destructure(permissions)
+      destructured_permissions = []
+      permissions.each do |service, resources|
+        resources.each do |resource, resource_permissions|
+          resource_permissions.each do |permission|
+            destructured_permissions << [service, resource, permission].join('_')
+          end
+        end
+      end
+      destructured_permissions
+    end
+  end
+end

data/lib/jwt_bouncer/request.rb

@@ -0,0 +1,57 @@
+# frozen-string-literal: true
+
+require 'jwt_bouncer/token'
+require 'jwt_bouncer/permissions'
+require 'jwt'
+
+module JwtBouncer
+  class Request
+    HEADER = 'Authorization'.freeze
+
+    def initialize(request, shared_secret: nil)
+      @encoded_token = Request.extract_token(request)
+      @shared_secret = shared_secret
+    end
+
+    def authenticated?
+      !!decoded_token
+    rescue JWT::DecodeError
+      false
+    end
+
+    def actor
+      decoded_token['actor']
+    end
+
+    def account_reference
+      decoded_token['account_reference']
+    end
+
+    def permissions
+      @permissions ||= Permissions.decompress(decoded_token['permissions'])
+    end
+
+    def can?(action)
+      destructured_action_permissions = Permissions.destructure(action)
+      matching_permissions = destructured_action_permissions & destructured_permissions
+      matching_permissions == destructured_action_permissions
+    end
+
+    # extracts the encoded token from the given request
+    def self.extract_token(request)
+      return nil unless request.headers.key?(HEADER)
+      matches = request.headers.fetch(HEADER).match(/\ABearer\s(.*)\z/i)
+      matches[1] if matches
+    end
+
+    private
+
+    def decoded_token
+      @decoded_token ||= Token.decode(@encoded_token, @shared_secret)
+    end
+
+    def destructured_permissions
+      Permissions.destructure(permissions)
+    end
+  end
+end

data/lib/jwt_bouncer/sign_request.rb

@@ -0,0 +1,21 @@
+# frozen-string-literal: true
+require 'jwt_bouncer/token'
+require 'jwt_bouncer/permissions'
+
+module JwtBouncer
+  module SignRequest
+    def self.call(request, **options)
+      request.headers['Authorization'] = "Bearer #{generate_token(**options)}"
+      request
+    end
+
+    def self.generate_token(permissions: {}, actor: {}, account_reference:, shared_secret:, expiry: nil)
+      payload = {
+        permissions: Permissions.compress(permissions),
+        actor: actor,
+        account_reference: account_reference
+      }
+      Token.encode(payload, shared_secret, expiry: expiry)
+    end
+  end
+end

data/lib/jwt_bouncer/token.rb

@@ -0,0 +1,21 @@
+# frozen-string-literal: true
+require 'jwt'
+
+module JwtBouncer
+  module Token
+    ALGORITHM = 'HS256'
+
+    def self.encode(data, shared_secret, expiry: nil)
+      # setup our base payload
+      payload = { data: data, iat: Time.now.utc.to_i }
+      # apply expiry, if necessary
+      payload[:exp] = expiry.to_i if expiry
+      # build the JWT
+      JWT.encode(payload, shared_secret, ALGORITHM)
+    end
+
+    def self.decode(token, shared_secret)
+      JWT.decode(token, shared_secret, true, algorithm: ALGORITHM, verify_iat: true).dig(0, 'data')
+    end
+  end
+end

data/lib/jwt_bouncer/version.rb

@@ -0,0 +1,3 @@
+module JwtBouncer
+  VERSION = '0.1.1'.freeze
+end

metadata

@@ -0,0 +1,177 @@
+--- !ruby/object:Gem::Specification
+name: jwt-bouncer
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Ryan Townsend
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.1
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.6
+description: 
+email:
+- ryan@ryantownsend.co.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Dockerfile
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- bin/bundle
+- bin/console
+- bin/docker/console
+- bin/docker/entrypoint
+- bin/docker/rake
+- bin/rake
+- bin/rspec
+- bin/run
+- docker-compose.yml
+- docs/development.md
+- jwt-bouncer.gemspec
+- lib/jwt_bouncer.rb
+- lib/jwt_bouncer/permissions.rb
+- lib/jwt_bouncer/request.rb
+- lib/jwt_bouncer/sign_request.rb
+- lib/jwt_bouncer/token.rb
+- lib/jwt_bouncer/version.rb
+homepage: https://github.com/ryantownsend/jwt-bouncer
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: jwt-bouncer is an abstraction for JWT-based authentication/authorisation
+test_files: []