keratin-authn 0.3.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/README.md +21 -1
- data/keratin-authn.gemspec +1 -1
- data/lib/keratin/authn.rb +20 -5
- data/lib/keratin/authn/id_token_verifier.rb +3 -5
- data/lib/keratin/authn/mock_signature_verifier.rb +7 -0
- data/lib/keratin/authn/remote_signature_verifier.rb +19 -0
- data/lib/keratin/authn/test/helpers.rb +1 -24
- data/lib/keratin/authn/version.rb +1 -1
- metadata +18 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4f56c448de089a50cd7d4ee112f5238cab39146e
|
4
|
+
data.tar.gz: 4e4b9953cb86e8a1ea827d5ea9e861578260effd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cf79c26b1b0dd270c93fcbb708cbc7edf8931355555e69c069f6987ae577968844655ab221450198ccef76e71bb57a3c94233450da592327deb7f9d7c76b4f2d
|
7
|
+
data.tar.gz: c6c7f30a6799367f31a67c3b17eee21e50a04e9b5bb6bb38aec03482e0aca3da9ceb67c64ec0e29643e45a4e8e01c29b1295f603a1b6cfc54aa0f10161a31ab3
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -100,7 +100,27 @@ class SessionsController
|
|
100
100
|
end
|
101
101
|
```
|
102
102
|
|
103
|
-
##
|
103
|
+
## Testing Your App
|
104
|
+
|
105
|
+
AuthN provides helpers for working with tokens in your application's controller and integration tests.
|
106
|
+
|
107
|
+
In your `test/test_helper.rb` or equivalent:
|
108
|
+
|
109
|
+
```ruby
|
110
|
+
# Configuring AuthN to use the MockSignatureVerifier will stop your tests from attempting to connect
|
111
|
+
# to the remote issuer during tests.
|
112
|
+
Keratin::AuthN.signature_verifier = Keratin::AuthN::MockSignatureVerifier.new
|
113
|
+
|
114
|
+
# Including the Test::Helpers module grants access to `id_token_for(user.account_id)`, so that you
|
115
|
+
# can test your system with real tokens.
|
116
|
+
module ActionDispatch
|
117
|
+
class IntegrationTest
|
118
|
+
include Keratin::AuthN::Test::Helpers
|
119
|
+
end
|
120
|
+
end
|
121
|
+
```
|
122
|
+
|
123
|
+
## Developing AuthN
|
104
124
|
|
105
125
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
106
126
|
|
data/keratin-authn.gemspec
CHANGED
@@ -30,7 +30,6 @@ Gem::Specification.new do |spec|
|
|
30
30
|
spec.require_paths = ["lib"]
|
31
31
|
|
32
32
|
spec.add_dependency "json-jwt"
|
33
|
-
spec.add_dependency "webmock"
|
34
33
|
spec.add_dependency "lru_redux"
|
35
34
|
|
36
35
|
spec.add_development_dependency "bundler", "~> 1.13"
|
@@ -38,4 +37,5 @@ Gem::Specification.new do |spec|
|
|
38
37
|
spec.add_development_dependency "minitest", "~> 5.0"
|
39
38
|
spec.add_development_dependency "timecop"
|
40
39
|
spec.add_development_dependency "byebug"
|
40
|
+
spec.add_development_dependency "webmock"
|
41
41
|
end
|
data/lib/keratin/authn.rb
CHANGED
@@ -1,6 +1,8 @@
|
|
1
1
|
require_relative 'authn/version'
|
2
2
|
require_relative 'authn/engine' if defined?(Rails)
|
3
3
|
require_relative 'authn/id_token_verifier'
|
4
|
+
require_relative 'authn/remote_signature_verifier'
|
5
|
+
require_relative 'authn/mock_signature_verifier'
|
4
6
|
require_relative 'authn/issuer'
|
5
7
|
|
6
8
|
require 'lru_redux'
|
@@ -41,17 +43,30 @@ module Keratin
|
|
41
43
|
end
|
42
44
|
end
|
43
45
|
|
44
|
-
|
45
|
-
|
46
|
+
# The default strategy for signature verification will find the JWT's issuer, fetch the JWKs
|
47
|
+
# from that server, choose the correct key by id, and finally verify the JWT. The keys are
|
48
|
+
# then cached in memory to reduce network traffic.
|
49
|
+
def self.signature_verifier
|
50
|
+
@verifier ||= RemoteSignatureVerifier.new(
|
51
|
+
LruRedux::TTL::ThreadSafeCache.new(25, config.keychain_ttl)
|
52
|
+
)
|
53
|
+
end
|
54
|
+
|
55
|
+
# If the default strategy is not desired (as in host application tests), different strategies
|
56
|
+
# may be specified here. The strategy must define a `verify(jwt)` method.
|
57
|
+
def self.signature_verifier=(val)
|
58
|
+
if val.respond_to?(:verify) && val.method(:verify).arity == 1
|
59
|
+
@verifier = val
|
60
|
+
else
|
61
|
+
raise ArgumentError.new("Please ensure that your signature verifier has been instantiated and implements `def verify(jwt)`.")
|
62
|
+
end
|
46
63
|
end
|
47
64
|
|
48
65
|
class << self
|
49
66
|
# safely fetches a subject from the id token after checking relevant claims and
|
50
67
|
# verifying the signature.
|
51
|
-
#
|
52
|
-
# this may involve HTTP requests to fetch the issuer's configuration and JWKs.
|
53
68
|
def subject_from(id_token)
|
54
|
-
verifier = IDTokenVerifier.new(id_token,
|
69
|
+
verifier = IDTokenVerifier.new(id_token, signature_verifier)
|
55
70
|
verifier.subject if verifier.verified?
|
56
71
|
end
|
57
72
|
|
@@ -2,9 +2,9 @@ require 'uri'
|
|
2
2
|
|
3
3
|
module Keratin::AuthN
|
4
4
|
class IDTokenVerifier
|
5
|
-
def initialize(str,
|
5
|
+
def initialize(str, signature_verifier)
|
6
6
|
@id_token = str
|
7
|
-
@
|
7
|
+
@signature_verifier = signature_verifier
|
8
8
|
@time = Time.now.to_i
|
9
9
|
end
|
10
10
|
|
@@ -35,9 +35,7 @@ module Keratin::AuthN
|
|
35
35
|
end
|
36
36
|
|
37
37
|
def token_intact?
|
38
|
-
|
39
|
-
rescue JSON::JWT::VerificationFailed, JSON::JWT::UnexpectedAlgorithm
|
40
|
-
false
|
38
|
+
@signature_verifier.verify(jwt)
|
41
39
|
end
|
42
40
|
|
43
41
|
private def jwt
|
@@ -0,0 +1,19 @@
|
|
1
|
+
module Keratin::AuthN
|
2
|
+
class RemoteSignatureVerifier
|
3
|
+
attr_reader :keychain
|
4
|
+
|
5
|
+
def initialize(keychain)
|
6
|
+
@keychain = keychain
|
7
|
+
end
|
8
|
+
|
9
|
+
def verify(jwt)
|
10
|
+
jwt.verify!(key(jwt['iss'], jwt.kid))
|
11
|
+
rescue JSON::JWT::VerificationFailed, JSON::JWT::UnexpectedAlgorithm
|
12
|
+
false
|
13
|
+
end
|
14
|
+
|
15
|
+
private def key(issuer, kid)
|
16
|
+
keychain.getset(kid){ Issuer.new(issuer).signing_key(kid) }
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -1,5 +1,3 @@
|
|
1
|
-
require 'webmock/minitest'
|
2
|
-
|
3
1
|
module Keratin::AuthN
|
4
2
|
module Test
|
5
3
|
module Helpers
|
@@ -16,33 +14,12 @@ module Keratin::AuthN
|
|
16
14
|
).sign(jws_keypair.to_jwk, JWS_ALGORITHM).to_s
|
17
15
|
end
|
18
16
|
|
19
|
-
# a temporary RSA key for
|
17
|
+
# a temporary RSA key for the test suite.
|
20
18
|
#
|
21
19
|
# generates the smallest (fastest) key possible for RS256
|
22
20
|
private def jws_keypair
|
23
21
|
@keypair ||= OpenSSL::PKey::RSA.new(512)
|
24
22
|
end
|
25
|
-
|
26
|
-
# stubs the endpoints necessary to validate a signed JWT
|
27
|
-
private def stub_auth_server(issuer: Keratin::AuthN.config.issuer, keypair: jws_keypair)
|
28
|
-
Keratin::AuthN.keychain.clear
|
29
|
-
stub_request(:get, "#{issuer}/configuration").to_return(
|
30
|
-
status: 200,
|
31
|
-
body: {'jwks_uri' => "#{issuer}/jwks"}.to_json
|
32
|
-
)
|
33
|
-
stub_request(:get, "#{issuer}/jwks").to_return(
|
34
|
-
status: 200,
|
35
|
-
body: {
|
36
|
-
keys: [
|
37
|
-
keypair.public_key.to_jwk.slice(:kty, :kid, :e, :n).merge(
|
38
|
-
use: 'sig',
|
39
|
-
alg: JWS_ALGORITHM
|
40
|
-
)
|
41
|
-
]
|
42
|
-
}.to_json
|
43
|
-
)
|
44
|
-
end
|
45
|
-
|
46
23
|
end
|
47
24
|
end
|
48
25
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: keratin-authn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Lance Ivy
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-02-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: json-jwt
|
@@ -24,20 +24,6 @@ dependencies:
|
|
24
24
|
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '0'
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
name: webmock
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - ">="
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: '0'
|
34
|
-
type: :runtime
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: '0'
|
41
27
|
- !ruby/object:Gem::Dependency
|
42
28
|
name: lru_redux
|
43
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -122,6 +108,20 @@ dependencies:
|
|
122
108
|
- - ">="
|
123
109
|
- !ruby/object:Gem::Version
|
124
110
|
version: '0'
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: webmock
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - ">="
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
type: :development
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - ">="
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '0'
|
125
125
|
description:
|
126
126
|
email:
|
127
127
|
- lance@cainlevy.net
|
@@ -143,6 +143,8 @@ files:
|
|
143
143
|
- lib/keratin/authn/engine.rb
|
144
144
|
- lib/keratin/authn/id_token_verifier.rb
|
145
145
|
- lib/keratin/authn/issuer.rb
|
146
|
+
- lib/keratin/authn/mock_signature_verifier.rb
|
147
|
+
- lib/keratin/authn/remote_signature_verifier.rb
|
146
148
|
- lib/keratin/authn/test/helpers.rb
|
147
149
|
- lib/keratin/authn/testing.rb
|
148
150
|
- lib/keratin/authn/version.rb
|