jwt_auth_cognito 0.1.1 → 1.0.0.pre.beta.1

data/lib/jwt_auth_cognito/redis_service.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
-require "redis"
-require "digest"
-require "openssl"
+require 'redis'
+require 'digest'
+require 'openssl'
 
 module JwtAuthCognito
   class RedisService
-    BLACKLIST_PREFIX = "jwt_blacklist:"
-    USER_TOKENS_PREFIX = "user_tokens:"
+    BLACKLIST_PREFIX = 'jwt_blacklist:'
+    USER_TOKENS_PREFIX = 'user_tokens:'
 
     def initialize(config = JwtAuthCognito.configuration)
       @config = config
@@ -17,13 +17,13 @@ module JwtAuthCognito
     def save_revoked_token(token_id, ttl = nil)
       connect_redis
       key = "#{BLACKLIST_PREFIX}#{token_id}"
-      
+
       if ttl
-        @redis.setex(key, ttl, "revoked")
+        @redis.setex(key, ttl, 'revoked')
       else
-        @redis.set(key, "revoked")
+        @redis.set(key, 'revoked')
       end
-      
+
       true
     rescue Redis::BaseError => e
       raise BlacklistError, "Failed to save revoked token: #{e.message}"
@@ -33,8 +33,8 @@ module JwtAuthCognito
       connect_redis
       key = "#{BLACKLIST_PREFIX}#{token_id}"
       result = @redis.exists?(key)
-      result.is_a?(Integer) ? result > 0 : result
-    rescue Redis::BaseError => e
+      result.is_a?(Integer) ? result.positive? : result
+    rescue Redis::BaseError
       # Graceful degradation - if Redis is down, don't block validation
       false
     end
@@ -50,19 +50,19 @@ module JwtAuthCognito
 
     def invalidate_user_tokens(user_id)
       connect_redis
-      
+
       # Get all tokens for the user
       user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
       token_ids = @redis.smembers(user_key)
-      
+
       # Add all tokens to blacklist
       token_ids.each do |token_id|
         save_revoked_token(token_id)
       end
-      
+
       # Clear the user's token set
       @redis.del(user_key)
-      
+
       token_ids.length
     rescue Redis::BaseError => e
       raise BlacklistError, "Failed to invalidate user tokens: #{e.message}"
@@ -70,28 +70,28 @@ module JwtAuthCognito
 
     def track_user_token(user_id, token_id, ttl = nil)
       connect_redis
-      
+
       user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
       @redis.sadd(user_key, token_id)
-      
+
       # Set expiration on the user's token set
       @redis.expire(user_key, ttl) if ttl
-      
+
       true
-    rescue Redis::BaseError => e
+    rescue Redis::BaseError
       # Non-critical operation, log but don't fail
       false
     end
 
     def generate_token_id(token)
       # Try to extract jti from token first
-      begin  
+      begin
         payload = JWT.decode(token, nil, false).first
-        return payload["jti"] if payload["jti"]
+        return payload['jti'] if payload['jti']
       rescue JWT::DecodeError
         # Fall back to hash if token can't be decoded
       end
-      
+
       # Generate hash-based ID
       Digest::SHA256.hexdigest(token)[0, 16]
     end
@@ -102,23 +102,21 @@ module JwtAuthCognito
       return @redis if @redis
 
       redis_options = build_redis_options
-      
+
       # Retry logic with exponential backoff (similar to Node.js implementation)
       max_retries = 3
       retry_count = 0
-      
+
       begin
         @redis = Redis.new(redis_options)
         @redis.ping # Test connection
         @redis
       rescue Redis::BaseError => e
         retry_count += 1
-        if retry_count <= max_retries
-          sleep(0.1 * (2 ** retry_count)) # Exponential backoff
-          retry
-        else
-          raise BlacklistError, "Failed to connect to Redis after #{max_retries} retries: #{e.message}"
-        end
+        raise BlacklistError, "Failed to connect to Redis after #{max_retries} retries: #{e.message}" unless retry_count <= max_retries
+
+        sleep(0.1 * (2**retry_count)) # Exponential backoff
+        retry
       end
     end
 
@@ -145,35 +143,76 @@ module JwtAuthCognito
 
     def build_ssl_params
       ssl_params = {}
-      
+
       # Set TLS version constraints
-      if @config.redis_tls_min_version
-        ssl_params[:min_version] = parse_tls_version(@config.redis_tls_min_version)
+      ssl_params[:min_version] = parse_tls_version(@config.redis_tls_min_version) if @config.redis_tls_min_version
+
+      ssl_params[:max_version] = parse_tls_version(@config.redis_tls_max_version) if @config.redis_tls_max_version
+
+      # CA certificate configuration with multiple sources
+      ca_cert_data = load_ca_certificate
+      if ca_cert_data
+        # Create a temporary file for the CA certificate
+        require 'tempfile'
+        temp_file = Tempfile.new('redis_ca_cert')
+        temp_file.write(ca_cert_data)
+        temp_file.close
+        ssl_params[:ca_file] = temp_file.path
+
+        # Store reference to prevent garbage collection
+        @temp_ca_file = temp_file
       end
-      
-      if @config.redis_tls_max_version
-        ssl_params[:max_version] = parse_tls_version(@config.redis_tls_max_version)
+
+      # Verification mode
+      ssl_params[:verify_mode] = case @config.redis_verify_mode
+                                 when 'none'
+                                   OpenSSL::SSL::VERIFY_NONE
+                                 when 'peer'
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 else
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 end
+
+      ssl_params
+    end
+
+    def load_ca_certificate
+      # Priority order for certificate loading (matching Node.js implementation):
+      # 1. SSM Parameter Store (for auth-service compatibility)
+      # 2. Local file system
+      # 3. Environment variable
+
+      # 1. Try SSM Parameter Store first (for auth-service compatibility)
+      if @config.redis_ca_cert_ssm_path && @config.redis_ca_cert_ssm_name
+        begin
+          puts '🔍 Loading CA certificate from SSM...'
+          return JwtAuthCognito::SSMService.get_ca_certificate(
+            @config.redis_ca_cert_ssm_path,
+            @config.redis_ca_cert_ssm_name
+          )
+        rescue StandardError => e
+          puts "⚠️  Failed to load certificate from SSM: #{e.message}"
+          puts '⚠️  Falling back to file system...'
+        end
       end
-      
-      # CA certificate configuration
+
+      # 2. Try local file system
       if @config.redis_ca_cert_path && @config.redis_ca_cert_name
         ca_cert_file = File.join(@config.redis_ca_cert_path, @config.redis_ca_cert_name)
         if File.exist?(ca_cert_file)
-          ssl_params[:ca_file] = ca_cert_file
+          puts "📁 Loading CA certificate from file system: #{ca_cert_file}"
+          return File.read(ca_cert_file)
         end
       end
-      
-      # Verification mode
-      case @config.redis_verify_mode
-      when 'none'
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
-      when 'peer'
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
-      else
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
+
+      # 3. Try environment variable
+      if ENV['REDIS_CA_CERT']
+        puts '🌍 Loading CA certificate from environment variable'
+        return ENV['REDIS_CA_CERT']
       end
-      
-      ssl_params
+
+      puts '⚠️  No CA certificate found, proceeding without certificate validation'
+      nil
     end
 
     def parse_tls_version(version_string)
@@ -191,4 +230,4 @@ module JwtAuthCognito
       end
     end
   end
-end
+end

data/lib/jwt_auth_cognito/ssm_service.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'uri'
+require 'aws-sdk-ssm'
+
+module JwtAuthCognito
+  class SSMService
+    class << self
+      attr_accessor :client, :certificate_cache
+    end
+
+    @client = nil
+    @certificate_cache = {}
+
+    # Initialize the SSM client
+    def self.get_client
+      @client ||= begin
+        require 'aws-sdk-ssm'
+        region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
+        Aws::SSM::Client.new(region: region)
+      end
+    rescue LoadError
+      raise ConfigurationError,
+            "aws-sdk-ssm gem is required for SSM functionality. Add 'gem \"aws-sdk-ssm\"' to your Gemfile"
+    end
+
+    # Gets a certificate from AWS Parameter Store (compatible with auth-service)
+    # Uses the same path pattern: /${cert_path}/${cert_name}
+    def self.get_ca_certificate(cert_path, cert_name)
+      full_path = "/#{cert_path}/#{cert_name}"
+
+      # Check cache first
+      if @certificate_cache.key?(full_path)
+        puts '📋 Using cached certificate from SSM'
+        return @certificate_cache[full_path]
+      end
+
+      begin
+        puts "📡 Getting certificate from Parameter Store: #{full_path}"
+
+        client = get_client
+        response = client.get_parameter({
+                                          name: full_path,
+                                          with_decryption: true
+                                        })
+
+        raise ConfigurationError, "Certificate parameter not found or invalid: #{full_path}" unless response.parameter&.value
+
+        # Cache the certificate
+        @certificate_cache[full_path] = response.parameter.value
+        puts '✅ Certificate obtained from SSM and cached'
+
+        response.parameter.value
+      rescue Aws::SSM::Errors::ParameterNotFound
+        raise ConfigurationError, "Certificate parameter not found: #{full_path}"
+      rescue Aws::SSM::Errors::ServiceError => e
+        puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
+        raise ConfigurationError, "Error accessing SSM: #{e.message}"
+      rescue StandardError => e
+        puts "❌ Error getting certificate from SSM (#{full_path}): #{e.message}"
+        raise e
+      end
+    end
+
+    # Gets a parameter from AWS Parameter Store
+    def self.get_parameter(parameter_name, with_decryption = true)
+      # Check cache first
+      return @certificate_cache[parameter_name] if @certificate_cache.key?(parameter_name)
+
+      begin
+        client = get_client
+        response = client.get_parameter({
+                                          name: parameter_name,
+                                          with_decryption: with_decryption
+                                        })
+
+        raise ConfigurationError, "Parameter not found or invalid: #{parameter_name}" unless response.parameter&.value
+
+        # Cache the parameter
+        @certificate_cache[parameter_name] = response.parameter.value
+
+        response.parameter.value
+      rescue Aws::SSM::Errors::ParameterNotFound
+        raise ConfigurationError, "Parameter not found: #{parameter_name}"
+      rescue Aws::SSM::Errors::ServiceError => e
+        puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
+        raise ConfigurationError, "Error accessing SSM: #{e.message}"
+      rescue StandardError => e
+        puts "❌ Error getting parameter from SSM (#{parameter_name}): #{e.message}"
+        raise e
+      end
+    end
+
+    # Clears the certificate cache
+    def self.clear_cache
+      @certificate_cache.clear
+    end
+
+    # Gets cache stats
+    def self.cache_stats
+      {
+        size: @certificate_cache.size,
+        keys: @certificate_cache.keys
+      }
+    end
+  end
+end

data/lib/jwt_auth_cognito/token_blacklist_service.rb

@@ -10,14 +10,12 @@ module JwtAuthCognito
     def add_to_blacklist(token, user_id: nil)
       token_id = @redis_service.generate_token_id(token)
       ttl = calculate_ttl(token)
-      
+
       result = @redis_service.save_revoked_token(token_id, ttl)
-      
+
       # Track token for user if provided
-      if user_id
-        @redis_service.track_user_token(user_id, token_id, ttl)
-      end
-      
+      @redis_service.track_user_token(user_id, token_id, ttl) if user_id
+
       result
     end
 
@@ -39,18 +37,18 @@ module JwtAuthCognito
     def calculate_ttl(token)
       begin
         payload = JWT.decode(token, nil, false).first
-        exp = payload["exp"]
-        
+        exp = payload['exp']
+
         if exp
           ttl = exp - Time.now.to_i
-          return ttl > 0 ? ttl : 1 # At least 1 second TTL
+          return ttl.positive? ? ttl : 1 # At least 1 second TTL
         end
       rescue JWT::DecodeError
         # If we can't decode the token, use a default TTL
       end
-      
+
       # Default TTL of 1 day if we can't determine expiration
-      86400
+      86_400
     end
   end
-end
+end