jwt_auth_cognito 0.1.1 → 1.0.0.pre.beta.1

data/lib/jwt_auth_cognito/user_data_service.rb

@@ -0,0 +1,332 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module JwtAuthCognito
+  class UserDataService
+    DEFAULT_CACHE_TTL = 300 # 5 minutes
+
+    def initialize(redis_service = nil, config = {})
+      @redis_service = redis_service || RedisService.new
+      @config = {
+        enable_user_data_retrieval: true,
+        include_applications: true,
+        include_organizations: true,
+        include_roles: true,
+        include_effective_permissions: false,
+        cache_timeout: DEFAULT_CACHE_TTL
+      }.merge(config)
+
+      @cache = {}
+      @cache_timestamps = {}
+      @stats = {
+        service: 'UserDataService',
+        connection_status: 'not-initialized',
+        initialized: false,
+        cache_hits: 0,
+        cache_misses: 0
+      }
+    end
+
+    def initialize!
+      @redis_service.initialize! unless @redis_service.connected?
+      @stats[:initialized] = true
+      @stats[:connection_status] = 'connected'
+      puts '✅ UserDataService initialized successfully'
+    rescue StandardError => e
+      @stats[:initialized] = false
+      @stats[:connection_status] = 'error'
+      @stats[:error] = e.message
+      puts "❌ UserDataService initialization failed: #{e.message}"
+      raise e
+    end
+
+    def get_user_permissions(user_id)
+      return nil unless @config[:enable_user_data_retrieval]
+
+      cache_key = "user_permissions:#{user_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "user:permissions:#{user_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        permissions = JSON.parse(data)
+        set_in_cache(cache_key, permissions)
+
+        permissions
+      rescue StandardError => e
+        puts "Error fetching user permissions for #{user_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_application(app_id)
+      return nil unless @config[:include_applications]
+
+      cache_key = "app:#{app_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "app:#{app_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        application = JSON.parse(data)
+        set_in_cache(cache_key, application)
+
+        application
+      rescue StandardError => e
+        puts "Error fetching application #{app_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_organization(app_id, organization_id)
+      return nil unless @config[:include_organizations]
+
+      cache_key = "org:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "org:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        organization = JSON.parse(data)
+        set_in_cache(cache_key, organization)
+
+        organization
+      rescue StandardError => e
+        puts "Error fetching organization #{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_app_roles(app_id, organization_id)
+      return nil unless @config[:include_roles]
+
+      cache_key = "app_roles:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "app:roles:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        roles = JSON.parse(data)
+        set_in_cache(cache_key, roles)
+
+        roles
+      rescue StandardError => e
+        puts "Error fetching app roles #{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_app_schema(app_id)
+      cache_key = "app_schema:#{app_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = 'app-schemas'
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        schemas = JSON.parse(data)
+        schema = schemas[app_id]
+
+        return nil unless schema
+
+        set_in_cache(cache_key, schema)
+        schema
+      rescue StandardError => e
+        puts "Error fetching app schema for #{app_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_effective_permissions(user_id, app_id, organization_id)
+      return nil unless @config[:include_effective_permissions]
+
+      cache_key = "effective_permissions:#{user_id}:#{app_id}:#{organization_id}"
+
+      # Check cache first
+      cached_data = get_from_cache(cache_key)
+      if cached_data
+        @stats[:cache_hits] += 1
+        return cached_data
+      end
+
+      @stats[:cache_misses] += 1
+
+      begin
+        redis_key = "permissions:cache:#{user_id}:#{app_id}:#{organization_id}"
+        data = @redis_service.get(redis_key)
+
+        return nil unless data
+
+        effective_permissions = JSON.parse(data)
+
+        # Cache with shorter TTL for permission cache
+        set_in_cache(cache_key, effective_permissions, (@config[:cache_timeout] / 2).to_i)
+
+        effective_permissions
+      rescue StandardError => e
+        puts "Error fetching effective permissions #{user_id}:#{app_id}:#{organization_id}: #{e.message}"
+        nil
+      end
+    end
+
+    def get_user_organizations(user_id)
+      permissions = get_user_permissions(user_id)
+      return [] unless permissions&.dig('permissions')
+
+      user_organizations = []
+
+      permissions['permissions'].each do |app_id, orgs|
+        orgs.each do |organization_id, org_data|
+          next unless org_data['status'] == 'active'
+
+          effective_permissions = nil
+          effective_permissions = get_effective_permissions(user_id, app_id, organization_id) if @config[:include_effective_permissions]
+
+          user_org = {
+            'appId' => app_id,
+            'organizationId' => organization_id,
+            'roles' => org_data['roles'],
+            'status' => org_data['status']
+          }
+
+          user_org['effectivePermissions'] = effective_permissions if effective_permissions
+
+          user_organizations << user_org
+        end
+      end
+
+      user_organizations
+    end
+
+    def get_user_applications(user_id)
+      user_organizations = get_user_organizations(user_id)
+      unique_app_ids = user_organizations.map { |org| org['appId'] }.uniq
+
+      applications = []
+      unique_app_ids.each do |app_id|
+        app = get_application(app_id)
+        applications << app if app && app['isActive']
+      end
+
+      applications
+    end
+
+    def get_comprehensive_user_data(user_id)
+      permissions = get_user_permissions(user_id)
+      organizations = get_user_organizations(user_id)
+      applications = get_user_applications(user_id)
+
+      {
+        'permissions' => permissions,
+        'organizations' => organizations,
+        'applications' => applications
+      }
+    end
+
+    def clear_user_cache(user_id)
+      keys_to_remove = @cache.keys.select { |key| key.include?(user_id) }
+      keys_to_remove.each do |key|
+        @cache.delete(key)
+        @cache_timestamps.delete(key)
+      end
+    end
+
+    def clear_all_cache
+      @cache.clear
+      @cache_timestamps.clear
+    end
+
+    def stats
+      @stats.dup
+    end
+
+    def initialized?
+      @stats[:initialized] && @redis_service.connected?
+    end
+
+    def shutdown
+      clear_all_cache
+      @redis_service.disconnect if @redis_service.respond_to?(:disconnect)
+      @stats[:initialized] = false
+      @stats[:connection_status] = 'disconnected'
+    end
+
+    private
+
+    def get_from_cache(key)
+      return nil unless @cache.key?(key)
+
+      timestamp = @cache_timestamps[key]
+      return nil unless timestamp
+
+      # Check if cache entry has expired
+      if Time.now.to_i - timestamp > @config[:cache_timeout]
+        @cache.delete(key)
+        @cache_timestamps.delete(key)
+        return nil
+      end
+
+      @cache[key]
+    end
+
+    def set_in_cache(key, value, _ttl = nil)
+      @cache[key] = value
+      @cache_timestamps[key] = Time.now.to_i
+    end
+  end
+end

data/lib/jwt_auth_cognito/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JwtAuthCognito
-  VERSION = "0.1.1"
-end
+  VERSION = '1.0.0-beta.1'
+end

data/lib/jwt_auth_cognito.rb

@@ -1,18 +1,22 @@
 # frozen_string_literal: true
 
-require_relative "jwt_auth_cognito/version"
-require_relative "jwt_auth_cognito/configuration"
-require_relative "jwt_auth_cognito/jwks_service"
-require_relative "jwt_auth_cognito/redis_service"
-require_relative "jwt_auth_cognito/token_blacklist_service"
-require_relative "jwt_auth_cognito/jwt_validator"
+require_relative 'jwt_auth_cognito/version'
+require_relative 'jwt_auth_cognito/configuration'
+require_relative 'jwt_auth_cognito/ssm_service'
+require_relative 'jwt_auth_cognito/jwks_service'
+require_relative 'jwt_auth_cognito/redis_service'
+require_relative 'jwt_auth_cognito/token_blacklist_service'
+require_relative 'jwt_auth_cognito/api_key_validator'
+require_relative 'jwt_auth_cognito/user_data_service'
+require_relative 'jwt_auth_cognito/error_utils'
+require_relative 'jwt_auth_cognito/jwt_validator'
 
 module JwtAuthCognito
   class Error < StandardError; end
   class ValidationError < Error; end
   class BlacklistError < Error; end
   class ConfigurationError < Error; end
-  
+
   # Specific JWT error types (matching Node.js implementation)
   class TokenExpiredError < ValidationError; end
   class TokenNotActiveError < ValidationError; end
@@ -33,9 +37,37 @@ module JwtAuthCognito
   def self.reset_configuration!
     @configuration = Configuration.new
   end
+
+  # Convenience factory method to create a Cognito validator
+  def self.create_cognito_validator(region:, user_pool_id:, client_id: nil, client_secret: nil, redis_config: {},
+                                    enable_api_key_validation: false, enable_user_data_retrieval: false)
+    old_config = configuration.dup
+
+    configure do |config|
+      config.cognito_region = region
+      config.cognito_user_pool_id = user_pool_id
+      config.cognito_client_id = client_id if client_id
+      config.cognito_client_secret = client_secret if client_secret
+      config.enable_api_key_validation = enable_api_key_validation
+      config.enable_user_data_retrieval = enable_user_data_retrieval
+
+      # Apply Redis configuration
+      config.redis_host = redis_config[:host] if redis_config[:host]
+      config.redis_port = redis_config[:port] if redis_config[:port]
+      config.redis_password = redis_config[:password] if redis_config[:password]
+      config.redis_ssl = redis_config[:tls] if redis_config.key?(:tls)
+      config.redis_ca_cert_path = redis_config[:ca_cert_path] if redis_config[:ca_cert_path]
+      config.redis_ca_cert_name = redis_config[:ca_cert_name] if redis_config[:ca_cert_name]
+    end
+
+    validator = JwtValidator.new
+
+    # Restore original configuration
+    @configuration = old_config
+
+    validator
+  end
 end
 
 # Cargar tareas Rake si estamos en Rails
-if defined?(Rails::Railtie)
-  require_relative "jwt_auth_cognito/railtie"
-end
+require_relative 'jwt_auth_cognito/railtie' if defined?(Rails::Railtie)

data/lib/tasks/jwt_auth_cognito.rake

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
 namespace :jwt_auth_cognito do
-  desc "Genera archivo de configuración para jwt_auth_cognito"
+  desc 'Genera archivo de configuración para jwt_auth_cognito'
   task :install do
-    puts "🚀 Instalando jwt_auth_cognito..."
-    
+    puts '🚀 Instalando jwt_auth_cognito...'
+
     # Verificar si estamos en una aplicación Rails
     unless defined?(Rails)
-      puts "❌ Error: Este comando debe ejecutarse desde una aplicación Rails"
+      puts '❌ Error: Este comando debe ejecutarse desde una aplicación Rails'
       exit 1
     end
 
@@ -20,10 +20,10 @@ namespace :jwt_auth_cognito do
     # Generar archivo de configuración
     if File.exist?(config_file)
       print "El archivo #{config_file} ya existe. ¿Sobrescribir? (y/N): "
-      response = STDIN.gets.chomp.downcase
-      
+      response = $stdin.gets.chomp.downcase
+
       unless %w[y yes sí si].include?(response)
-        puts "⏭️  Instalación cancelada"
+        puts '⏭️  Instalación cancelada'
         exit 0
       end
     end
@@ -36,107 +36,106 @@ namespace :jwt_auth_cognito do
 
     # Generar/actualizar .env.example
     env_content = generate_env_content
-    
+
     if File.exist?(env_file)
       existing_content = File.read(env_file)
-      unless existing_content.include?('COGNITO_USER_POOL_ID')
-        File.write(env_file, existing_content + "\n" + env_content)
-        puts "✅ Variables agregadas a .env.example"
+      if existing_content.include?('COGNITO_USER_POOL_ID')
+        puts 'ℹ️  Variables ya existen en .env.example'
       else
-        puts "ℹ️  Variables ya existen en .env.example"
+        File.write(env_file, "#{existing_content}\n#{env_content}")
+        puts '✅ Variables agregadas a .env.example'
       end
     else
       File.write(env_file, env_content)
-      puts "✅ Archivo .env.example creado"
+      puts '✅ Archivo .env.example creado'
     end
 
     show_next_steps
   end
 
-  desc "Muestra la configuración actual de jwt_auth_cognito"
+  desc 'Muestra la configuración actual de jwt_auth_cognito'
   task :config do
-    puts "📋 Configuración actual de jwt_auth_cognito:"
-    puts "=" * 50
-    
+    puts '📋 Configuración actual de jwt_auth_cognito:'
+    puts '=' * 50
+
     config = JwtAuthCognito.configuration
-    
-    puts "🏛️  AWS Cognito:"
+
+    puts '🏛️  AWS Cognito:'
     puts "   Region: #{config.cognito_region || '❌ NO CONFIGURADO'}"
     puts "   User Pool ID: #{config.cognito_user_pool_id || '❌ NO CONFIGURADO'}"
     puts "   Client ID: #{config.cognito_client_id || '❌ NO CONFIGURADO'}"
     puts "   Client Secret: #{config.has_client_secret? ? '✅ CONFIGURADO' : '⚠️  NO CONFIGURADO'}"
-    
+
     puts "\n🗄️  Redis:"
     puts "   Host: #{config.redis_host}"
     puts "   Puerto: #{config.redis_port}"
     puts "   Base de datos: #{config.redis_db}"
     puts "   TLS: #{config.redis_ssl ? '✅ HABILITADO' : '❌ DESHABILITADO'}"
     puts "   Password: #{config.redis_password ? '✅ CONFIGURADO' : '❌ NO CONFIGURADO'}"
-    
+
     puts "\n⚙️  Configuración:"
     puts "   Modo de validación: #{config.validation_mode}"
     puts "   Cache JWKS TTL: #{config.jwks_cache_ttl}s"
     puts "   Entorno: #{config.environment}"
-    
+
     puts "\n🔍 URLs:"
     begin
       puts "   JWKS URL: #{config.jwks_url}"
       puts "   Cognito Issuer: #{config.cognito_issuer}"
-    rescue => e
+    rescue StandardError => e
       puts "   ❌ Error generando URLs: #{e.message}"
     end
   end
 
-  desc "Prueba la conexión a Redis"
+  desc 'Prueba la conexión a Redis'
   task :test_redis do
-    puts "🔧 Probando conexión a Redis..."
-    
+    puts '🔧 Probando conexión a Redis...'
+
     begin
       redis_service = JwtAuthCognito::RedisService.new
       redis_service.send(:connect_redis)
-      puts "✅ Conexión a Redis exitosa"
-    rescue => e
+      puts '✅ Conexión a Redis exitosa'
+    rescue StandardError => e
       puts "❌ Error conectando a Redis: #{e.message}"
       puts "\n💡 Verifica tu configuración de Redis en las variables de entorno"
     end
   end
 
-  desc "Prueba la configuración de Cognito"
+  desc 'Prueba la configuración de Cognito'
   task :test_cognito do
-    puts "🔧 Probando configuración de Cognito..."
-    
+    puts '🔧 Probando configuración de Cognito...'
+
     config = JwtAuthCognito.configuration
-    
+
     begin
       config.validate!
-      puts "✅ Configuración básica de Cognito válida"
-      
+      puts '✅ Configuración básica de Cognito válida'
+
       # Probar JWKS
       jwks_service = JwtAuthCognito::JwksService.new
       jwks_service.send(:fetch_jwks)
-      puts "✅ Conexión a JWKS exitosa"
-      
-    rescue => e
+      puts '✅ Conexión a JWKS exitosa'
+    rescue StandardError => e
       puts "❌ Error en configuración de Cognito: #{e.message}"
       puts "\n💡 Verifica tus variables de entorno de Cognito"
     end
   end
 
-  desc "Limpia todos los tokens de la blacklist"
+  desc 'Limpia todos los tokens de la blacklist'
   task :clear_blacklist do
-    print "⚠️  ¿Estás seguro de que quieres limpiar toda la blacklist? (y/N): "
-    response = STDIN.gets.chomp.downcase
-    
+    print '⚠️  ¿Estás seguro de que quieres limpiar toda la blacklist? (y/N): '
+    response = $stdin.gets.chomp.downcase
+
     if %w[y yes sí si].include?(response)
       begin
         blacklist_service = JwtAuthCognito::TokenBlacklistService.new
         count = blacklist_service.clear_all_blacklisted_tokens
         puts "✅ #{count} tokens eliminados de la blacklist"
-      rescue => e
+      rescue StandardError => e
         puts "❌ Error limpiando blacklist: #{e.message}"
       end
     else
-      puts "⏭️  Operación cancelada"
+      puts '⏭️  Operación cancelada'
     end
   end
 
@@ -144,7 +143,7 @@ namespace :jwt_auth_cognito do
 
   def generate_config_content
     has_redis_config = defined?(Rails) && File.exist?(Rails.root.join('config', 'redis.yml'))
-    
+
     <<~CONFIG
       # frozen_string_literal: true
 
@@ -155,16 +154,16 @@ namespace :jwt_auth_cognito do
         # =============================================================================
         # CONFIGURACIÓN DE AWS COGNITO
         # =============================================================================
-        
+      #{'  '}
         # User Pool ID de tu Cognito (requerido)
         config.cognito_user_pool_id = ENV['COGNITO_USER_POOL_ID']
-        
+      #{'  '}
         # Región de AWS donde está tu Cognito (requerido)
         config.cognito_region = ENV['COGNITO_REGION'] || ENV['AWS_REGION'] || 'us-east-1'
-        
+      #{'  '}
         # Client ID de tu aplicación en Cognito (requerido para validación de audiencia)
         config.cognito_client_id = ENV['COGNITO_CLIENT_ID']
-        
+      #{'  '}
         # Client Secret de tu aplicación en Cognito (opcional, para mayor seguridad)
         # Si tu User Pool App Client está configurado con client secret, esto es requerido
         config.cognito_client_secret = ENV['COGNITO_CLIENT_SECRET']
@@ -172,9 +171,9 @@ namespace :jwt_auth_cognito do
         # =============================================================================
         # CONFIGURACIÓN DE REDIS (para blacklist de tokens)
         # =============================================================================
-        
+      #{'  '}
       #{redis_config_section(has_redis_config)}
-        
+      #{'  '}
         # Configuración de timeouts para Redis
         config.redis_timeout = ENV['REDIS_TIMEOUT']&.to_i || 5
         config.redis_connect_timeout = ENV['REDIS_CONNECT_TIMEOUT']&.to_i || 10
@@ -183,11 +182,11 @@ namespace :jwt_auth_cognito do
         # =============================================================================
         # CONFIGURACIÓN TLS PARA REDIS (PRODUCCIÓN)
         # =============================================================================
-        
+      #{'  '}
         # Configuración de certificados CA para Redis TLS
         config.redis_ca_cert_path = ENV['REDIS_CA_CERT_PATH']
         config.redis_ca_cert_name = ENV['REDIS_CA_CERT_NAME']
-        
+      #{'  '}
         # Control de versiones TLS
         config.redis_tls_min_version = ENV['REDIS_TLS_MIN_VERSION'] || 'TLSv1.2'
         config.redis_tls_max_version = ENV['REDIS_TLS_MAX_VERSION'] || 'TLSv1.3'
@@ -196,10 +195,10 @@ namespace :jwt_auth_cognito do
         # =============================================================================
         # CONFIGURACIÓN DE VALIDACIÓN
         # =============================================================================
-        
+      #{'  '}
         # Modo de validación: :secure (producción) o :basic (desarrollo)
         config.validation_mode = Rails.env.production? ? :secure : :basic
-        
+      #{'  '}
         # Tiempo de cache para claves JWKS (en segundos)
         config.jwks_cache_ttl = ENV['JWKS_CACHE_TTL']&.to_i || 3600 # 1 hora
       end
@@ -265,26 +264,26 @@ namespace :jwt_auth_cognito do
   end
 
   def show_next_steps
-    puts "\n" + "=" * 60
-    puts "🎉 ¡Instalación de jwt_auth_cognito completada!"
-    puts "=" * 60
+    puts "\n#{'=' * 60}"
+    puts '🎉 ¡Instalación de jwt_auth_cognito completada!'
+    puts '=' * 60
     puts "\n📋 PRÓXIMOS PASOS:"
     puts "\n1. 🔧 Configura las variables de entorno:"
-    puts "   - Edita .env (si usas dotenv) o configura variables del sistema"
-    puts "   - Como mínimo configura: COGNITO_USER_POOL_ID, COGNITO_REGION, COGNITO_CLIENT_ID"
-    
+    puts '   - Edita .env (si usas dotenv) o configura variables del sistema'
+    puts '   - Como mínimo configura: COGNITO_USER_POOL_ID, COGNITO_REGION, COGNITO_CLIENT_ID'
+
     puts "\n2. 🧪 Prueba la configuración:"
-    puts "   rake jwt_auth_cognito:config          # Ver configuración actual"
-    puts "   rake jwt_auth_cognito:test_cognito    # Probar Cognito"
-    puts "   rake jwt_auth_cognito:test_redis      # Probar Redis"
-    
+    puts '   rake jwt_auth_cognito:config          # Ver configuración actual'
+    puts '   rake jwt_auth_cognito:test_cognito    # Probar Cognito'
+    puts '   rake jwt_auth_cognito:test_redis      # Probar Redis'
+
     puts "\n3. 🚀 Reinicia tu aplicación Rails"
-    
+
     puts "\n4. 📖 Usa la gema en tu código:"
-    puts "   validator = JwtAuthCognito::JwtValidator.new"
-    puts "   result = validator.validate_token(jwt_token)"
-    
+    puts '   validator = JwtAuthCognito::JwtValidator.new'
+    puts '   result = validator.validate_token(jwt_token)'
+
     puts "\n💡 Para más ejemplos, revisa el README de la gema"
-    puts "=" * 60
+    puts '=' * 60
   end
-end
+end