jwt_auth_cognito 1.0.0.pre.beta.4 → 1.0.0.pre.beta.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 265f4f1001ed0adae7545f86aa2589b9d290581afec125118e9630a17bd6b66a
-  data.tar.gz: 506db504efbff37dd02a58aef7e500274d7fcdb87e65de0b121ff9abe6a40c8c
+  metadata.gz: 81416775877402a8d73ccc1404f223f8210f6fb757c3b9193c73718c81260dd7
+  data.tar.gz: 89700ce4cbe9518ab25586b22f0ab46a315d60dd03e267e78c47b729d0641e9d
 SHA512:
-  metadata.gz: df9ee430a4c8b03c30701f612ddb41630c0563b2476800426abc05ccc2de87376c1dab736233c19a6da544f34efdf9cf84e1d989414a9790e1552d2dbbd67db5
-  data.tar.gz: 9199048166b82dd476b88083a5b4272b391d792d4d8992d5ed8f04ebf9e85951a000f783be728ed8900e29afc9527038f6a6a0edb867d9cbe78a7ff20e52cab3
+  metadata.gz: fa00db084bed24d06c72f102332b453b561bb7dc8dd45e3b77d7caea097446dab1f292edac92b725da5b1ebd8e949a80b2b69ee4359fa6707b44a9b93c7af74b
+  data.tar.gz: be08d9bea8482431b5df5c4d40ea32f450d25e8136cb66c3d8b80b18902c06b802c77645edbc2f7e0b6cc8ca58003530b5ef9fdb33ef65e392c9c6a4e3840df3

data/CHANGELOG.md

@@ -7,6 +7,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0-beta.5] - 2025-01-22
+
+### Fixed
+
+- **RubyGems Deployment Pipeline**: Fixed CI/CD deployment issues
+  - Removed MFA requirement that was blocking automated deployment
+  - Fixed credentials YAML format using `printf` to avoid parsing conflicts
+  - Removed unnecessary openssl dependency (part of Ruby stdlib)
+  - Updated pipeline to use correct `:rubygems_api_key:` format for credentials
+
+- **API Key Validation**: Added missing Redis methods for ApiKeyValidator
+  - Added generic `get()` and `set()` methods to RedisService
+  - Methods include proper error handling with BlacklistError exceptions
+  - Support for TTL parameter in set() method using setex
+  - Resolves "undefined method `get` for RedisService" error
+
+### Improved
+
+- **Code Quality**: Enhanced test coverage and documentation
+  - Added comprehensive tests for new Redis methods
+  - All tests passing (74 examples, 0 failures)
+  - RuboCop compliance maintained
+  - Updated CLAUDE.md with correct deployment procedures
+
+## [1.0.0-beta.4] - 2025-01-16
+
+### Fixed
+
+- **Code Cleanup**: Removed deprecated methods from JwtValidator
+  - Removed old validate_token_* methods to reduce API surface
+  - Enhanced validate_enriched documentation with parameter examples
+  - Maintained backward compatibility for main validation methods
+
 ## [1.0.0-beta.3] - 2025-01-16
 
 ### Fixed

data/CLAUDE.md

@@ -92,6 +92,7 @@ rake jwt_auth_cognito:test_cognito # Test Cognito connection
 - **Retry Logic**: Exponential backoff for failed operations
 - **Blacklist Strategy**: Uses Redis sets with automatic TTL management for token revocation
 - **User Token Tracking**: Maintains user-to-tokens mapping for bulk revocation capabilities
+- **Generic Operations**: Provides `get()` and `set()` methods for API key storage and general Redis operations with TTL support
 
 ### ✅ **SSM Parameter Store Integration** - NEW December 2024
 
@@ -248,9 +249,11 @@ REDIS_TLS_MAX_VERSION=TLSv1_3
 ### AWS Configuration (for SSM)
 ```bash
 AWS_REGION=us-east-1
-AWS_ACCESS_KEY_ID=your-access-key
-AWS_SECRET_ACCESS_KEY=your-secret-key
-# Or use IAM roles/instance profiles
+AWS_ACCESS_KEY_ID=your-access-key        # Opcional, usa aws configure si no se proporciona
+AWS_SECRET_ACCESS_KEY=your-secret-key    # Opcional, usa aws configure si no se proporciona
+AWS_SESSION_TOKEN=your-session-token     # Opcional, para credenciales temporales
+AWS_SSM_ENDPOINT=https://ssm.us-east-1.amazonaws.com  # Opcional, para VPC endpoints
+# Or use IAM roles/instance profiles (recommended for production)
 ```
 
 ### Feature Configuration
@@ -301,14 +304,16 @@ JWKS_CACHE_TTL=3600  # 1 hour
 
 ## Version Compatibility
 
-### ✅ **Updated January 2025 - Version 0.3.0**
+### ✅ **Updated January 2025 - Version 1.0.0-beta.5**
 
-**Major feature expansion with UserDataService and deployment automation**
+**Production-ready beta with deployment automation and API key support**
 
 - ✅ UserDataService with auth-service compatibility
 - ✅ Enhanced error handling with ErrorUtils
 - ✅ Enriched token validation with user context
-- ✅ Automated CI/CD pipeline with Bitbucket
+- ✅ Automated CI/CD pipeline with Bitbucket (deployment issues resolved)
+- ✅ Complete API key validation support with Redis storage
+- ✅ Generic Redis operations (`get`/`set`) for extensibility
 - ✅ Synchronized feature set with Node.js package (maintaining independent versioning)
 - ✅ Maintains consistent API across language implementations
 

data/README.md

@@ -95,6 +95,14 @@ REDIS_VERIFY_MODE=peer
 # Configuración de cache
 JWKS_CACHE_TTL=3600
 
+# Configuración AWS para Parameter Store (SSM)
+# Nota: Si no se configuran, usa la cadena de credenciales estándar de AWS (aws configure, IAM roles, etc.)
+AWS_REGION=us-east-1
+AWS_ACCESS_KEY_ID=your-access-key        # Opcional, usa aws configure si no se proporciona
+AWS_SECRET_ACCESS_KEY=your-secret-key    # Opcional, usa aws configure si no se proporciona
+AWS_SESSION_TOKEN=your-session-token     # Opcional, para credenciales temporales
+AWS_SSM_ENDPOINT=https://ssm.us-east-1.amazonaws.com  # Opcional, para VPC endpoints
+
 # Habilitar funcionalidades específicas
 ENABLE_API_KEY_VALIDATION=true          # Validación de API keys
 ENABLE_USER_DATA_RETRIEVAL=true         # Enriquecimiento de datos de usuario
@@ -109,6 +117,65 @@ La gema soporta las siguientes opciones boolean para habilitar funcionalidades e
 
 Estas opciones permiten control granular sobre qué características están activas, optimizando el rendimiento habilitando solo la funcionalidad necesaria.
 
+## Configuración AWS para Development
+
+### Desarrollo Local
+
+Para desarrollo local, la gema usa la **cadena de credenciales estándar de AWS**:
+
+```bash
+# Opción 1: Configurar perfil por defecto (recomendado para desarrollo)
+aws configure
+# Configura: access key, secret key, región, formato
+
+# Opción 2: Usar perfil específico
+aws configure --profile mi-proyecto
+export AWS_PROFILE=mi-proyecto
+
+# Opción 3: Variables de entorno específicas del proyecto
+export AWS_REGION=us-east-1
+export AWS_ACCESS_KEY_ID=AKIA...
+export AWS_SECRET_ACCESS_KEY=xyz123...
+```
+
+### Orden de Prioridad de Credenciales
+
+1. **Variables de entorno** (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+2. **Archivo de credenciales** (`~/.aws/credentials`)
+3. **Perfil AWS** (`AWS_PROFILE` o `[default]`)
+4. **IAM roles** (en EC2, ECS, Lambda, etc.)
+
+### Permisos Necesarios para SSM
+
+Tu usuario/rol AWS necesita permisos para acceder a Parameter Store:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter",
+        "ssm:GetParameters"
+      ],
+      "Resource": "arn:aws:ssm:us-east-1:*:parameter/redis/*"
+    }
+  ]
+}
+```
+
+### Debugging de Configuración AWS
+
+La gema incluye logging detallado para diagnosis:
+
+```
+📡 Getting certificate from Parameter Store: /redis/ca-cert
+🌍 AWS Region: us-east-1
+🔑 Credentials configured: No (using IAM role/profile)  👈 Indica uso de aws configure
+✅ Certificate obtained from SSM and cached
+```
+
 ## Uso
 
 ### Validación Básica de Tokens

data/lib/jwt_auth_cognito/redis_service.rb

@@ -96,6 +96,25 @@ module JwtAuthCognito
       Digest::SHA256.hexdigest(token)[0, 16]
     end
 
+    def get(key)
+      connect_redis
+      @redis.get(key)
+    rescue Redis::BaseError => e
+      raise BlacklistError, "Failed to get key '#{key}': #{e.message}"
+    end
+
+    def set(key, value, ttl = nil)
+      connect_redis
+      if ttl
+        @redis.setex(key, ttl, value)
+      else
+        @redis.set(key, value)
+      end
+      true
+    rescue Redis::BaseError => e
+      raise BlacklistError, "Failed to set key '#{key}': #{e.message}"
+    end
+
     private
 
     def connect_redis

data/lib/jwt_auth_cognito/ssm_service.rb

@@ -14,12 +14,28 @@ module JwtAuthCognito
     @client = nil
     @certificate_cache = {}
 
-    # Initialize the SSM client
+    # Initialize the SSM client with comprehensive AWS configuration
     def self.get_client
       @client ||= begin
         require 'aws-sdk-ssm'
-        region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
-        Aws::SSM::Client.new(region: region)
+
+        client_config = {
+          region: ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
+        }
+
+        # Add credentials if provided
+        if ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
+          client_config[:credentials] = Aws::Credentials.new(
+            ENV['AWS_ACCESS_KEY_ID'],
+            ENV['AWS_SECRET_ACCESS_KEY'],
+            ENV.fetch('AWS_SESSION_TOKEN', nil)
+          )
+        end
+
+        # Add endpoint if provided (for custom endpoints)
+        client_config[:endpoint] = ENV['AWS_SSM_ENDPOINT'] if ENV['AWS_SSM_ENDPOINT']
+
+        Aws::SSM::Client.new(client_config)
       end
     rescue LoadError
       raise ConfigurationError,
@@ -38,7 +54,12 @@ module JwtAuthCognito
       end
 
       begin
+        region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || 'us-east-1'
+        has_credentials = !(ENV.fetch('AWS_ACCESS_KEY_ID', nil) && ENV.fetch('AWS_SECRET_ACCESS_KEY', nil)).nil?
+
         puts "📡 Getting certificate from Parameter Store: #{full_path}"
+        puts "🌍 AWS Region: #{region}"
+        puts "🔑 Credentials configured: #{has_credentials ? 'Yes' : 'No (using IAM role/profile)'}"
 
         client = get_client
         response = client.get_parameter({

data/lib/jwt_auth_cognito/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JwtAuthCognito
-  VERSION = '1.0.0-beta.4'
+  VERSION = '1.0.0-beta.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt_auth_cognito
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta.4
+  version: 1.0.0.pre.beta.5
 platform: ruby
 authors:
 - The Optimal