jwt_auth_cognito 0.1.0 → 0.3.0

data/lib/jwt_auth_cognito/ssm_service.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'uri'
+require 'aws-sdk-ssm'
+
+module JwtAuthCognito
+  class SSMService
+    class << self
+      attr_accessor :client, :certificate_cache
+    end
+
+    @client = nil
+    @certificate_cache = {}
+
+    # Initialize the SSM client
+    def self.get_client
+      @client ||= begin
+        require 'aws-sdk-ssm'
+        region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
+        Aws::SSM::Client.new(region: region)
+      end
+    rescue LoadError
+      raise ConfigurationError,
+            "aws-sdk-ssm gem is required for SSM functionality. Add 'gem \"aws-sdk-ssm\"' to your Gemfile"
+    end
+
+    # Gets a certificate from AWS Parameter Store (compatible with auth-service)
+    # Uses the same path pattern: /${cert_path}/${cert_name}
+    def self.get_ca_certificate(cert_path, cert_name)
+      full_path = "/#{cert_path}/#{cert_name}"
+
+      # Check cache first
+      if @certificate_cache.key?(full_path)
+        puts '📋 Using cached certificate from SSM'
+        return @certificate_cache[full_path]
+      end
+
+      begin
+        puts "📡 Getting certificate from Parameter Store: #{full_path}"
+
+        client = get_client
+        response = client.get_parameter({
+                                          name: full_path,
+                                          with_decryption: true
+                                        })
+
+        raise ConfigurationError, "Certificate parameter not found or invalid: #{full_path}" unless response.parameter&.value
+
+        # Cache the certificate
+        @certificate_cache[full_path] = response.parameter.value
+        puts '✅ Certificate obtained from SSM and cached'
+
+        response.parameter.value
+      rescue Aws::SSM::Errors::ParameterNotFound
+        raise ConfigurationError, "Certificate parameter not found: #{full_path}"
+      rescue Aws::SSM::Errors::ServiceError => e
+        puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
+        raise ConfigurationError, "Error accessing SSM: #{e.message}"
+      rescue StandardError => e
+        puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
+        raise e
+      end
+    end
+
+    # Gets a parameter from AWS Parameter Store
+    def self.get_parameter(parameter_name, with_decryption = true)
+      # Check cache first
+      return @certificate_cache[parameter_name] if @certificate_cache.key?(parameter_name)
+
+      begin
+        client = get_client
+        response = client.get_parameter({
+                                          name: parameter_name,
+                                          with_decryption: with_decryption
+                                        })
+
+        raise ConfigurationError, "Parameter not found or invalid: #{parameter_name}" unless response.parameter&.value
+
+        # Cache the parameter
+        @certificate_cache[parameter_name] = response.parameter.value
+
+        response.parameter.value
+      rescue Aws::SSM::Errors::ParameterNotFound
+        raise ConfigurationError, "Parameter not found: #{parameter_name}"
+      rescue Aws::SSM::Errors::ServiceError => e
+        puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
+        raise ConfigurationError, "Error accessing SSM: #{e.message}"
+      rescue StandardError => e
+        puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
+        raise e
+      end
+    end
+
+    # Clears the certificate cache
+    def self.clear_cache
+      @certificate_cache.clear
+    end
+
+    # Gets cache stats
+    def self.cache_stats
+      {
+        size: @certificate_cache.size,
+        keys: @certificate_cache.keys
+      }
+    end
+  end
+end

data/lib/jwt_auth_cognito/token_blacklist_service.rb

@@ -10,14 +10,12 @@ module JwtAuthCognito
     def add_to_blacklist(token, user_id: nil)
       token_id = @redis_service.generate_token_id(token)
       ttl = calculate_ttl(token)
-      
+
       result = @redis_service.save_revoked_token(token_id, ttl)
-      
+
       # Track token for user if provided
-      if user_id
-        @redis_service.track_user_token(user_id, token_id, ttl)
-      end
-      
+      @redis_service.track_user_token(user_id, token_id, ttl) if user_id
+
       result
     end
 
@@ -39,18 +37,18 @@ module JwtAuthCognito
     def calculate_ttl(token)
       begin
         payload = JWT.decode(token, nil, false).first
-        exp = payload["exp"]
-        
+        exp = payload['exp']
+
         if exp
           ttl = exp - Time.now.to_i
-          return ttl > 0 ? ttl : 1 # At least 1 second TTL
+          return ttl.positive? ? ttl : 1 # At least 1 second TTL
         end
       rescue JWT::DecodeError
         # If we can't decode the token, use a default TTL
       end
-      
+
       # Default TTL of 1 day if we can't determine expiration
-      86400
+      86_400
     end
   end
-end
+end

data/lib/jwt_auth_cognito/user_data_service.rb

@@ -0,0 +1,332 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module JwtAuthCognito
+  class UserDataService
+    DEFAULT_CACHE_TTL = 300 # 5 minutes
+
+    def initialize(redis_service = nil, config = {})
+      @redis_service = redis_service || RedisService.new
+      @config = {
+        enable_user_data_retrieval: true,
+        include_applications: true,
+        include_organizations: true,
+        include_roles: true,
+        include_effective_permissions: false,
+        cache_timeout: DEFAULT_CACHE_TTL
+      }.merge(config)
+
+      @cache = {}
+      @cache_timestamps = {}
+      @stats = {
+        service: 'UserDataService',
+        connection_status: 'not-initialized',
+        initialized: false,
+        cache_hits: 0,
+        cache_misses: 0
+      }
+    end
+
+    def initialize!
+      @redis_service.initialize! unless @redis_service.connected?
+      @stats[:initialized] = true
+      @stats[:connection_status] = 'connected'
+      puts '✅ UserDataService initialized successfully'
+    rescue StandardError => e
+      @stats[:initialized] = false
+      @stats[:connection_status] = 'error'
+      @stats[:error] = e.message
+      puts "❌ UserDataService initialization failed: #{e.message}"
+      raise e
+    end
+
+    def get_user_permissions(user_id)
+      return nil unless @config[:enable_user_data_retrieval]
+
+      cache_key = "user_permissions:#{user_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "user:permissions:#{user_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        permissions = JSON.parse(data)
+        set_in_cache(cache_key, permissions)
+
+        permissions
+      rescue StandardError => e
+        puts "Error fetching user permissions for #{user_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_application(app_id)
+      return nil unless @config[:include_applications]
+
+      cache_key = "app:#{app_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "app:#{app_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        application = JSON.parse(data)
+        set_in_cache(cache_key, application)
+
+        application
+      rescue StandardError => e
+        puts "Error fetching application #{app_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_organization(app_id, organization_id)
+      return nil unless @config[:include_organizations]
+
+      cache_key = "org:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "org:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        organization = JSON.parse(data)
+        set_in_cache(cache_key, organization)
+
+        organization
+      rescue StandardError => e
+        puts "Error fetching organization #{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_app_roles(app_id, organization_id)
+      return nil unless @config[:include_roles]
+
+      cache_key = "app_roles:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "app:roles:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        roles = JSON.parse(data)
+        set_in_cache(cache_key, roles)
+
+        roles
+      rescue StandardError => e
+        puts "Error fetching app roles #{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_app_schema(app_id)
+      cache_key = "app_schema:#{app_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = 'app-schemas'
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        schemas = JSON.parse(data)
+        schema = schemas[app_id]
+
+        return nil unless schema
+
+        set_in_cache(cache_key, schema)
+        schema
+      rescue StandardError => e
+        puts "Error fetching app schema for #{app_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_effective_permissions(user_id, app_id, organization_id)
+      return nil unless @config[:include_effective_permissions]
+
+      cache_key = "effective_permissions:#{user_id}:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "permissions:cache:#{user_id}:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        effective_permissions = JSON.parse(data)
+
+        # Cache with shorter TTL for permission cache
+        set_in_cache(cache_key, effective_permissions, (@config[:cache_timeout] / 2).to_i)
+
+        effective_permissions
+      rescue StandardError => e
+        puts "Error fetching effective permissions #{user_id}:#{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_user_organizations(user_id)
+      permissions = get_user_permissions(user_id)
+      return [] unless permissions&.dig('permissions')
+
+      user_organizations = []
+
+      permissions['permissions'].each do |app_id, orgs|
+        orgs.each do |organization_id, org_data|
+          next unless org_data['status'] == 'active'
+
+          effective_permissions = nil
+          effective_permissions = get_effective_permissions(user_id, app_id, organization_id) if @config[:include_effective_permissions]
+
+          user_org = {
+            'appId' => app_id,
+            'organizationId' => organization_id,
+            'roles' => org_data['roles'],
+            'status' => org_data['status']
+          }
+
+          user_org['effectivePermissions'] = effective_permissions if effective_permissions
+
+          user_organizations << user_org
+        end
+      end
+
+      user_organizations
+    end
+
+    def get_user_applications(user_id)
+      user_organizations = get_user_organizations(user_id)
+      unique_app_ids = user_organizations.map { |org| org['appId'] }.uniq
+
+      applications = []
+      unique_app_ids.each do |app_id|
+        app = get_application(app_id)
+        applications << app if app && app['isActive']
+      end
+
+      applications
+    end
+
+    def get_comprehensive_user_data(user_id)
+      permissions = get_user_permissions(user_id)
+      organizations = get_user_organizations(user_id)
+      applications = get_user_applications(user_id)
+
+      {
+        'permissions' => permissions,
+        'organizations' => organizations,
+        'applications' => applications
+      }
+    end
+
+    def clear_user_cache(user_id)
+      keys_to_remove = @cache.keys.select { |key| key.include?(user_id) }
+      keys_to_remove.each do |key|
+        @cache.delete(key)
+        @cache_timestamps.delete(key)
+      end
+    end
+
+    def clear_all_cache
+      @cache.clear
+      @cache_timestamps.clear
+    end
+
+    def stats
+      @stats.dup
+    end
+
+    def initialized?
+      @stats[:initialized] && @redis_service.connected?
+    end
+
+    def shutdown
+      clear_all_cache
+      @redis_service.disconnect if @redis_service.respond_to?(:disconnect)
+      @stats[:initialized] = false
+      @stats[:connection_status] = 'disconnected'
+    end
+
+    private
+
+    def get_from_cache(key)
+      return nil unless @cache.key?(key)
+
+      timestamp = @cache_timestamps[key]
+      return nil unless timestamp
+
+      # Check if cache entry has expired
+      if Time.now.to_i - timestamp > @config[:cache_timeout]
+        @cache.delete(key)
+        @cache_timestamps.delete(key)
+        return nil
+      end
+
+      @cache[key]
+    end
+
+    def set_in_cache(key, value, _ttl = nil)
+      @cache[key] = value
+      @cache_timestamps[key] = Time.now.to_i
+    end
+  end
+end

data/lib/jwt_auth_cognito/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JwtAuthCognito
-  VERSION = "0.1.0"
-end
+  VERSION = '0.3.0'
+end

data/lib/jwt_auth_cognito.rb

@@ -1,18 +1,22 @@
 # frozen_string_literal: true
 
-require_relative "jwt_auth_cognito/version"
-require_relative "jwt_auth_cognito/configuration"
-require_relative "jwt_auth_cognito/jwks_service"
-require_relative "jwt_auth_cognito/redis_service"
-require_relative "jwt_auth_cognito/token_blacklist_service"
-require_relative "jwt_auth_cognito/jwt_validator"
+require_relative 'jwt_auth_cognito/version'
+require_relative 'jwt_auth_cognito/configuration'
+require_relative 'jwt_auth_cognito/ssm_service'
+require_relative 'jwt_auth_cognito/jwks_service'
+require_relative 'jwt_auth_cognito/redis_service'
+require_relative 'jwt_auth_cognito/token_blacklist_service'
+require_relative 'jwt_auth_cognito/api_key_validator'
+require_relative 'jwt_auth_cognito/user_data_service'
+require_relative 'jwt_auth_cognito/error_utils'
+require_relative 'jwt_auth_cognito/jwt_validator'
 
 module JwtAuthCognito
   class Error < StandardError; end
   class ValidationError < Error; end
   class BlacklistError < Error; end
   class ConfigurationError < Error; end
-  
+
   # Specific JWT error types (matching Node.js implementation)
   class TokenExpiredError < ValidationError; end
   class TokenNotActiveError < ValidationError; end
@@ -33,9 +37,37 @@ module JwtAuthCognito
   def self.reset_configuration!
     @configuration = Configuration.new
   end
+
+  # Convenience factory method to create a Cognito validator
+  def self.create_cognito_validator(region:, user_pool_id:, client_id: nil, client_secret: nil, redis_config: {},
+                                    enable_api_key_validation: false, enable_user_data_retrieval: false)
+    old_config = configuration.dup
+
+    configure do |config|
+      config.cognito_region = region
+      config.cognito_user_pool_id = user_pool_id
+      config.cognito_client_id = client_id if client_id
+      config.cognito_client_secret = client_secret if client_secret
+      config.enable_api_key_validation = enable_api_key_validation
+      config.enable_user_data_retrieval = enable_user_data_retrieval
+
+      # Apply Redis configuration
+      config.redis_host = redis_config[:host] if redis_config[:host]
+      config.redis_port = redis_config[:port] if redis_config[:port]
+      config.redis_password = redis_config[:password] if redis_config[:password]
+      config.redis_ssl = redis_config[:tls] if redis_config.key?(:tls)
+      config.redis_ca_cert_path = redis_config[:ca_cert_path] if redis_config[:ca_cert_path]
+      config.redis_ca_cert_name = redis_config[:ca_cert_name] if redis_config[:ca_cert_name]
+    end
+
+    validator = JwtValidator.new
+
+    # Restore original configuration
+    @configuration = old_config
+
+    validator
+  end
 end
 
 # Cargar tareas Rake si estamos en Rails
-if defined?(Rails::Railtie)
-  require_relative "jwt_auth_cognito/railtie"
-end
+require_relative 'jwt_auth_cognito/railtie' if defined?(Rails::Railtie)