jwt_authorize 0.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/jwt_authorize.rb +64 -0
- data/lib/jwt_authorize/jwt_consts.rb +4 -0
- data/lib/jwt_authorize/jwt_decoder.rb +75 -0
- data/lib/jwt_authorize/jwt_payload_authorizer.rb +55 -0
- data/lib/jwt_authorize/version.rb +3 -0
- metadata +118 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 66496a68b009b540f997f4ea96f0bdcc15c8182b2bae9c78b77f42a1f9c74f4b
|
|
4
|
+
data.tar.gz: d729629a346b4806cd4f88cc6d42a1744edf90627a408c61d3e08c3fbff236c7
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 7eb7e532be4ae3e215ee07792abdcf96f1d7b69e7dff03b7f926ece9802d9ac731111982d20e16857266093a6a6af36834f195d7a39d653e4485ef20e4139fed
|
|
7
|
+
data.tar.gz: 997b0802d7af46b8aa07440e4071ea62b8603fe624e24374bccd2dfae0995567a4a6fb7eeb37aa5d3e6b63bb73081e67f864370a21ae644528eec79b6848a184
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Copyright 2016 Adobe Systems Incorporated. All rights reserved.
|
|
2
|
+
# This file is licensed to you under the Apache License, Version 2.0 (the "License");
|
|
3
|
+
# you may not use this file except in compliance with the License. You may obtain a copy
|
|
4
|
+
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
5
|
+
#
|
|
6
|
+
# Unless required by applicable law or agreed to in writing, software distributed under
|
|
7
|
+
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
|
|
8
|
+
# OF ANY KIND, either express or implied. See the License for the specific language
|
|
9
|
+
# governing permissions and limitations under the License.
|
|
10
|
+
|
|
11
|
+
require "jwt_authorize/version"
|
|
12
|
+
require "jwt_authorize/jwt_decoder"
|
|
13
|
+
require "jwt_authorize/jwt_payload_authorizer"
|
|
14
|
+
require "logger"
|
|
15
|
+
|
|
16
|
+
module JwtAuthorize
|
|
17
|
+
class << self
|
|
18
|
+
attr_writer :logger
|
|
19
|
+
|
|
20
|
+
def get_certificate_thumbprint(auth_token)
|
|
21
|
+
headers = get_jwt_headers(auth_token)
|
|
22
|
+
|
|
23
|
+
headers[CERTIFICATE_THUMBPRINT]
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def get_certificate_path(auth_token)
|
|
27
|
+
headers = get_jwt_headers(auth_token)
|
|
28
|
+
|
|
29
|
+
headers[CERTIFICATE_PATH]
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def get_jwt_headers(auth_token)
|
|
33
|
+
JwtAuthorize::JwtDecoder.new.get_headers_from_jwt(auth_token)
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def decode(auth_token, certificate, options = {})
|
|
37
|
+
fail "No public key" if certificate.nil?
|
|
38
|
+
|
|
39
|
+
JwtAuthorize::JwtDecoder.new(logger, options).get_payload_from_jwt(auth_token, certificate)
|
|
40
|
+
rescue => err
|
|
41
|
+
logger.error("Error decoding JWT token: #{err}")
|
|
42
|
+
nil
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def authorized_request?(payload, permissions, base_repo)
|
|
46
|
+
JwtAuthorize::JwtPayloadAuthorizer.new(permissions, logger).authorized?(payload, base_repo)
|
|
47
|
+
rescue => err
|
|
48
|
+
logger.error("Error processing JWT token: #{err}")
|
|
49
|
+
false
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def authorized?(certificate, auth_token, permissions, base_repo, options = {})
|
|
53
|
+
decoded = decode(auth_token, certificate, options)
|
|
54
|
+
|
|
55
|
+
decoded.nil? ? false : authorized_request?(decoded.first, permissions, base_repo)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def logger
|
|
59
|
+
@logger ||= Logger.new($stdout).tap do |log|
|
|
60
|
+
log.progname = name
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
end
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Copyright 2016 Adobe Systems Incorporated. All rights reserved.
|
|
2
|
+
# This file is licensed to you under the Apache License, Version 2.0 (the "License");
|
|
3
|
+
# you may not use this file except in compliance with the License. You may obtain a copy
|
|
4
|
+
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
5
|
+
#
|
|
6
|
+
# Unless required by applicable law or agreed to in writing, software distributed under
|
|
7
|
+
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
|
|
8
|
+
# OF ANY KIND, either express or implied. See the License for the specific language
|
|
9
|
+
# governing permissions and limitations under the License.
|
|
10
|
+
|
|
11
|
+
require "jwt"
|
|
12
|
+
require "jwt_authorize/jwt_consts"
|
|
13
|
+
|
|
14
|
+
module JwtAuthorize
|
|
15
|
+
class JwtDecoder
|
|
16
|
+
def initialize(logger = nil, options = {})
|
|
17
|
+
@logger = logger
|
|
18
|
+
@options = options
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def get_payload_from_jwt(header, certificate)
|
|
22
|
+
fail "No certificate specified" unless certificate
|
|
23
|
+
|
|
24
|
+
validate_header(header)
|
|
25
|
+
|
|
26
|
+
token = token_from_header(header)
|
|
27
|
+
|
|
28
|
+
decoded = decode_token(token, certificate)
|
|
29
|
+
|
|
30
|
+
options = decoded.last
|
|
31
|
+
validate_thumbprint(options[CERTIFICATE_THUMBPRINT], certificate)
|
|
32
|
+
|
|
33
|
+
decoded
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def get_headers_from_jwt(token)
|
|
37
|
+
fail "token is nil" if token.nil?
|
|
38
|
+
|
|
39
|
+
headers = token_from_header(token).split(".").first
|
|
40
|
+
|
|
41
|
+
JSON.parse(Base64.decode64(headers))
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
private
|
|
45
|
+
|
|
46
|
+
def validate_header(header)
|
|
47
|
+
fail "Header is nil!" if header.nil?
|
|
48
|
+
fail "Incorrectly formatted token" unless header.start_with?("bearer")
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def token_from_header(header)
|
|
52
|
+
_type, token = header.split(" ", 2)
|
|
53
|
+
fail "#{header} is invalid token!" unless token
|
|
54
|
+
|
|
55
|
+
token
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def validate_thumbprint(head_thumb, certificate)
|
|
59
|
+
cert_thumb = calculate_thumbprint(certificate)
|
|
60
|
+
fail "Cert SHA1 mismatch. head: #{head_thumb}, cert: #{cert_thumb}" unless head_thumb.casecmp(cert_thumb)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def decode_token(token, certificate)
|
|
64
|
+
@options[:algorithm] = "RS256"
|
|
65
|
+
JWT.decode(token, certificate.public_key, true, @options)
|
|
66
|
+
rescue JWT::ExpiredSignature, JWT::VerificationError => err
|
|
67
|
+
@logger.error("Payload could not be decoded: #{err}") unless @logger.nil?
|
|
68
|
+
raise "Payload could not be decoded from token."
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def calculate_thumbprint(certificate)
|
|
72
|
+
OpenSSL::Digest::SHA1.hexdigest(certificate.to_der).scan(/../).join(":")
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
end
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Copyright 2016 Adobe Systems Incorporated. All rights reserved.
|
|
2
|
+
# This file is licensed to you under the Apache License, Version 2.0 (the "License");
|
|
3
|
+
# you may not use this file except in compliance with the License. You may obtain a copy
|
|
4
|
+
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
5
|
+
#
|
|
6
|
+
# Unless required by applicable law or agreed to in writing, software distributed under
|
|
7
|
+
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
|
|
8
|
+
# OF ANY KIND, either express or implied. See the License for the specific language
|
|
9
|
+
# governing permissions and limitations under the License.
|
|
10
|
+
|
|
11
|
+
module JwtAuthorize
|
|
12
|
+
class JwtPayloadAuthorizer
|
|
13
|
+
def initialize(permissions, logger = nil)
|
|
14
|
+
fail "Permissions are empty!" unless permissions
|
|
15
|
+
|
|
16
|
+
@perms = permissions.split(",")
|
|
17
|
+
@logger = logger
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def authorized?(payload, base_repo)
|
|
21
|
+
repos = payload["repositories"]
|
|
22
|
+
|
|
23
|
+
same_repositories?(repos, base_repo) && permissions_valid?(repos)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def same_repositories?(payload_repos, base_repo)
|
|
29
|
+
test_repos = payload_repos.map { |repo| repo["name"].downcase }
|
|
30
|
+
fail "No payload repositories." if test_repos.size == 0
|
|
31
|
+
|
|
32
|
+
same = test_repos.include?(base_repo.downcase)
|
|
33
|
+
fail "Repositories do not match." unless same
|
|
34
|
+
|
|
35
|
+
same
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def permissions_valid?(payload_repos)
|
|
39
|
+
repo_perms = payload_repos.map { |repo| repo["permissions"] }.flatten
|
|
40
|
+
|
|
41
|
+
valid = (permissions & repo_perms).size > 0
|
|
42
|
+
|
|
43
|
+
unless valid
|
|
44
|
+
@logger.error("Invalid perms. Jwt: #{permissions.inspect}, repo: #{repo_perms.inspect}") unless @logger.nil?
|
|
45
|
+
fail "Invalid permissions."
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
valid
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def permissions
|
|
52
|
+
@perms
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: jwt_authorize
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.2.5
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Dave Persing
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: exe
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2018-12-13 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: bundler
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - "~>"
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '1.12'
|
|
20
|
+
type: :development
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - "~>"
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '1.12'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: rake
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - "~>"
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '10.0'
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - "~>"
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '10.0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: rspec
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - "~>"
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '3.0'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '3.0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rubocop
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0.36'
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - "~>"
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '0.36'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: jwt
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - "~>"
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '1.5'
|
|
76
|
+
type: :runtime
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - "~>"
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '1.5'
|
|
83
|
+
description:
|
|
84
|
+
email:
|
|
85
|
+
- persing@adobe.com
|
|
86
|
+
executables: []
|
|
87
|
+
extensions: []
|
|
88
|
+
extra_rdoc_files: []
|
|
89
|
+
files:
|
|
90
|
+
- lib/jwt_authorize.rb
|
|
91
|
+
- lib/jwt_authorize/jwt_consts.rb
|
|
92
|
+
- lib/jwt_authorize/jwt_decoder.rb
|
|
93
|
+
- lib/jwt_authorize/jwt_payload_authorizer.rb
|
|
94
|
+
- lib/jwt_authorize/version.rb
|
|
95
|
+
homepage: https://github.com/adobe-platform/jwt-authorize-gem
|
|
96
|
+
licenses: []
|
|
97
|
+
metadata: {}
|
|
98
|
+
post_install_message:
|
|
99
|
+
rdoc_options: []
|
|
100
|
+
require_paths:
|
|
101
|
+
- lib
|
|
102
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
103
|
+
requirements:
|
|
104
|
+
- - ">="
|
|
105
|
+
- !ruby/object:Gem::Version
|
|
106
|
+
version: '0'
|
|
107
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
108
|
+
requirements:
|
|
109
|
+
- - ">="
|
|
110
|
+
- !ruby/object:Gem::Version
|
|
111
|
+
version: '0'
|
|
112
|
+
requirements: []
|
|
113
|
+
rubyforge_project:
|
|
114
|
+
rubygems_version: 2.7.6
|
|
115
|
+
signing_key:
|
|
116
|
+
specification_version: 4
|
|
117
|
+
summary: Authorizing requests containing an Authorization header against custom permissions
|
|
118
|
+
test_files: []
|