RubyGems - keratin-authn - Versions diffs - 0.3.0 → 0.3.1 - Mend

keratin-authn 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/README.md +21 -1
data/keratin-authn.gemspec +1 -1
data/lib/keratin/authn.rb +20 -5
data/lib/keratin/authn/id_token_verifier.rb +3 -5
data/lib/keratin/authn/mock_signature_verifier.rb +7 -0
data/lib/keratin/authn/remote_signature_verifier.rb +19 -0
data/lib/keratin/authn/test/helpers.rb +1 -24
data/lib/keratin/authn/version.rb +1 -1
metadata +18 -16

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2f45b125d67113d0774cbad89d9267547e3b7e31
-  data.tar.gz: de9f914409394e534f6fe8d9240fe0f4edb0c441
+  metadata.gz: 4f56c448de089a50cd7d4ee112f5238cab39146e
+  data.tar.gz: 4e4b9953cb86e8a1ea827d5ea9e861578260effd
 SHA512:
-  metadata.gz: 164fd93bf93e7ccad0f9d005ea81fcc09e78bdb79bccb8a8b55f4776101631bdbc14d0b2a0d4f9347c0f0e322a1e45fad3c88d3f243b2bb9c561995380b17859
-  data.tar.gz: a45bbfebe1d9bad1c0a5538cc8d679e5a7ee4ec3be78897a2c740c070bfae0ff89efdf8e1518d7b5c786d4940db6589aff7604f1b416474d068922616fbc43e3
+  metadata.gz: cf79c26b1b0dd270c93fcbb708cbc7edf8931355555e69c069f6987ae577968844655ab221450198ccef76e71bb57a3c94233450da592327deb7f9d7c76b4f2d
+  data.tar.gz: c6c7f30a6799367f31a67c3b17eee21e50a04e9b5bb6bb38aec03482e0aca3da9ceb67c64ec0e29643e45a4e8e01c29b1295f603a1b6cfc54aa0f10161a31ab3

data/Gemfile CHANGED

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
-# Specify your gem's dependencies in auth-rb.gemspec
+# Specify your gem's dependencies in keratin-authn.gemspec
 gemspec

data/README.md CHANGED

@@ -100,7 +100,27 @@ class SessionsController
 end
 ```
-## Development
+## Testing Your App
+AuthN provides helpers for working with tokens in your application's controller and integration tests.
+In your `test/test_helper.rb` or equivalent:
+```ruby
+# Configuring AuthN to use the MockSignatureVerifier will stop your tests from attempting to connect
+# to the remote issuer during tests.
+Keratin::AuthN.signature_verifier = Keratin::AuthN::MockSignatureVerifier.new
+# Including the Test::Helpers module grants access to `id_token_for(user.account_id)`, so that you
+# can test your system with real tokens.
+module ActionDispatch
+  class IntegrationTest
+    include Keratin::AuthN::Test::Helpers
+  end
+end
+```
+## Developing AuthN
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/keratin-authn.gemspec CHANGED

@@ -30,7 +30,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency "json-jwt"
-  spec.add_dependency "webmock"
   spec.add_dependency "lru_redux"
   spec.add_development_dependency "bundler", "~> 1.13"
@@ -38,4 +37,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "timecop"
   spec.add_development_dependency "byebug"
+  spec.add_development_dependency "webmock"
 end

data/lib/keratin/authn.rb CHANGED

@@ -1,6 +1,8 @@
 require_relative 'authn/version'
 require_relative 'authn/engine' if defined?(Rails)
 require_relative 'authn/id_token_verifier'
+require_relative 'authn/remote_signature_verifier'
+require_relative 'authn/mock_signature_verifier'
 require_relative 'authn/issuer'
 require 'lru_redux'
@@ -41,17 +43,30 @@ module Keratin
       end
     end
-    def self.keychain
-      @keychain ||= LruRedux::TTL::ThreadSafeCache.new(25, config.keychain_ttl)
+    # The default strategy for signature verification will find the JWT's issuer, fetch the JWKs
+    # from that server, choose the correct key by id, and finally verify the JWT. The keys are
+    # then cached in memory to reduce network traffic.
+    def self.signature_verifier
+      @verifier ||= RemoteSignatureVerifier.new(
+        LruRedux::TTL::ThreadSafeCache.new(25, config.keychain_ttl)
+      )
+    end
+    # If the default strategy is not desired (as in host application tests), different strategies
+    # may be specified here. The strategy must define a `verify(jwt)` method.
+    def self.signature_verifier=(val)
+      if val.respond_to?(:verify) && val.method(:verify).arity == 1
+        @verifier = val
+      else
+        raise ArgumentError.new("Please ensure that your signature verifier has been instantiated and implements `def verify(jwt)`.")
+      end
     end
     class << self
       # safely fetches a subject from the id token after checking relevant claims and
       # verifying the signature.
-      #
-      # this may involve HTTP requests to fetch the issuer's configuration and JWKs.
       def subject_from(id_token)
-        verifier = IDTokenVerifier.new(id_token, keychain)
+        verifier = IDTokenVerifier.new(id_token, signature_verifier)
         verifier.subject if verifier.verified?
       end

data/lib/keratin/authn/id_token_verifier.rb CHANGED

@@ -2,9 +2,9 @@ require 'uri'
 module Keratin::AuthN
   class IDTokenVerifier
-    def initialize(str, keychain)
+    def initialize(str, signature_verifier)
       @id_token = str
-      @keychain = keychain
+      @signature_verifier = signature_verifier
       @time = Time.now.to_i
     end
@@ -35,9 +35,7 @@ module Keratin::AuthN
     end
     def token_intact?
-      jwt.verify!(@keychain.getset(jwt.kid){ Issuer.new(jwt['iss']).signing_key(jwt.kid) })
-    rescue JSON::JWT::VerificationFailed, JSON::JWT::UnexpectedAlgorithm
-      false
+      @signature_verifier.verify(jwt)
     end
     private def jwt

data/lib/keratin/authn/mock_signature_verifier.rb ADDED

@@ -0,0 +1,7 @@
+module Keratin::AuthN
+  class MockSignatureVerifier
+    def verify(jwt)
+      true
+    end
+  end
+end

data/lib/keratin/authn/remote_signature_verifier.rb ADDED

@@ -0,0 +1,19 @@
+module Keratin::AuthN
+  class RemoteSignatureVerifier
+    attr_reader :keychain
+    def initialize(keychain)
+      @keychain = keychain
+    end
+    def verify(jwt)
+      jwt.verify!(key(jwt['iss'], jwt.kid))
+    rescue JSON::JWT::VerificationFailed, JSON::JWT::UnexpectedAlgorithm
+      false
+    end
+    private def key(issuer, kid)
+      keychain.getset(kid){ Issuer.new(issuer).signing_key(kid) }
+    end
+  end
+end

data/lib/keratin/authn/test/helpers.rb CHANGED

@@ -1,5 +1,3 @@
-require 'webmock/minitest'
 module Keratin::AuthN
   module Test
     module Helpers
@@ -16,33 +14,12 @@ module Keratin::AuthN
         ).sign(jws_keypair.to_jwk, JWS_ALGORITHM).to_s
       end
-      # a temporary RSA key for our test suite.
+      # a temporary RSA key for the test suite.
       #
       # generates the smallest (fastest) key possible for RS256
       private def jws_keypair
         @keypair ||= OpenSSL::PKey::RSA.new(512)
       end
-      # stubs the endpoints necessary to validate a signed JWT
-      private def stub_auth_server(issuer: Keratin::AuthN.config.issuer, keypair: jws_keypair)
-        Keratin::AuthN.keychain.clear
-        stub_request(:get, "#{issuer}/configuration").to_return(
-          status: 200,
-          body: {'jwks_uri' => "#{issuer}/jwks"}.to_json
-        )
-        stub_request(:get, "#{issuer}/jwks").to_return(
-          status: 200,
-          body: {
-            keys: [
-              keypair.public_key.to_jwk.slice(:kty, :kid, :e, :n).merge(
-                use: 'sig',
-                alg: JWS_ALGORITHM
-              )
-            ]
-          }.to_json
-        )
-      end
     end
   end
 end

data/lib/keratin/authn/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Keratin
   module AuthN
-    VERSION = "0.3.0"
+    VERSION = "0.3.1"
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keratin-authn
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Lance Ivy
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-01-27 00:00:00.000000000 Z
+date: 2017-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json-jwt
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: lru_redux
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email:
 - lance@cainlevy.net
@@ -143,6 +143,8 @@ files:
 - lib/keratin/authn/engine.rb
 - lib/keratin/authn/id_token_verifier.rb
 - lib/keratin/authn/issuer.rb
+- lib/keratin/authn/mock_signature_verifier.rb
+- lib/keratin/authn/remote_signature_verifier.rb
 - lib/keratin/authn/test/helpers.rb
 - lib/keratin/authn/testing.rb
 - lib/keratin/authn/version.rb