keycloak-api-rails 0.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1fb2c6f355e3fc27fbb0110609f34fc4d17e34f0
+  data.tar.gz: 3f338ecbe4d68ecccf65904434399394b7f51a80
+SHA512:
+  metadata.gz: 869df876da34f6cbb957a7c12f88975efc5147ddb4282813b30997aa5e9b229045f5e3fee056429a6990193909b3e864893d69787f67e09ade924816f5696b96
+  data.tar.gz: 1a1e5f069ad76e2eb83653bddff7da10b019097f06277f91793b6839e2ccf3fe91e1df3ff25a5a12caf32fdc4668570e853a964a64fee0d85c4c1eb8aabd009e

data/.gitignore

@@ -0,0 +1,3 @@
+.bundle/
+log/*.log
+.byebug_history

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Dockerfile

@@ -0,0 +1,11 @@
+FROM ruby:2.3
+RUN mkdir -p /usr/src/app/lib/keycloak-api-rails
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY Gemfile.lock /usr/src/app/
+COPY keycloak-api-rails.gemspec /usr/src/app/
+COPY lib/keycloak-api-rails/version.rb /usr/src/app/lib/keycloak-api-rails/
+RUN bundle install
+COPY . /usr/src/app
+RUN bundle install

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,145 @@
+PATH
+  remote: .
+  specs:
+    keycloak-api-rails (0.6)
+      json-jwt (~> 1.8, >= 1.8.3)
+      rails (>= 4.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.1.4)
+      actionpack (= 5.1.4)
+      nio4r (~> 2.0)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.1.4)
+      actionpack (= 5.1.4)
+      actionview (= 5.1.4)
+      activejob (= 5.1.4)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.1.4)
+      actionview (= 5.1.4)
+      activesupport (= 5.1.4)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.1.4)
+      activesupport (= 5.1.4)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.1.4)
+      activesupport (= 5.1.4)
+      globalid (>= 0.3.6)
+    activemodel (5.1.4)
+      activesupport (= 5.1.4)
+    activerecord (5.1.4)
+      activemodel (= 5.1.4)
+      activesupport (= 5.1.4)
+      arel (~> 8.0)
+    activesupport (5.1.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (8.0.0)
+    bindata (2.4.1)
+    builder (3.2.3)
+    byebug (9.1.0)
+    concurrent-ruby (1.0.5)
+    crass (1.0.3)
+    diff-lcs (1.3)
+    erubi (1.7.0)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    i18n (0.9.1)
+      concurrent-ruby (~> 1.0)
+    json-jwt (1.8.3)
+      activesupport
+      bindata
+      securecompare
+      url_safe_base64
+    loofah (2.1.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
+    method_source (0.9.0)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.11.1)
+    nio4r (2.2.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    rack (2.0.3)
+    rack-test (0.8.2)
+      rack (>= 1.0, < 3)
+    rails (5.1.4)
+      actioncable (= 5.1.4)
+      actionmailer (= 5.1.4)
+      actionpack (= 5.1.4)
+      actionview (= 5.1.4)
+      activejob (= 5.1.4)
+      activemodel (= 5.1.4)
+      activerecord (= 5.1.4)
+      activesupport (= 5.1.4)
+      bundler (>= 1.3.0)
+      railties (= 5.1.4)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.1.4)
+      actionpack (= 5.1.4)
+      activesupport (= 5.1.4)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.3.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.0)
+    securecompare (1.0.0)
+    sprockets (3.7.1)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    tzinfo (1.2.4)
+      thread_safe (~> 0.1)
+    url_safe_base64 (0.2.2)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  byebug (= 9.1.0)
+  keycloak-api-rails!
+  rspec (= 3.7.0)
+  timecop (= 0.9.1)
+
+BUNDLED WITH
+   1.16.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2018 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,165 @@
+# Keycloak-Rails-Api
+
+This gem aims at validates Keycloak JWT token in Ruby On Rails APIs.
+
+## Token validation
+
+Tokens send (through query strings or Authorization headers) to this Railtie Middleware are validated against a Keycloak public key. This public key is downloaded every day by default (this interval can be changed through `public_key_cache_ttl`).
+
+## Pass token to the API
+
+* Method 1: By adding an `Authorization` HTTP Header with its value set to `Bearer <your token>`. 
+  _e.g_ using curl: `curl -H "Authorization: Bearer <your-token>" https://api.pouet.io/api/more-pouets`
+* Method 2: By providing the token via query string, especially via the parameter named `authorizationToken`. Keep in mind that this method is less secure (url are kept intact in your browser history, and so on...)
+  _e.g._ using curl: `curl https://api.pouet.io/api/more-pouets?authorizationToken<your-token>`
+
+_If both method are used at the same time, The query string as a higher priority when reading given tokens._
+
+## When a token is validated
+
+In Rails controller, the request `env` variables has two more properties:
+* `keycloak:keycloak_id`
+* `keycloak:roles`
+
+They can be accessed using `Keycloak::Helper` methods.
+
+## Overall configuration options
+
+All options have a default value. However, all of them can be changed in your initializer file.
+
+| Option | Default Value | Type | Required? | Description  | Example |
+| ---- | ----- | ------ | ----- | ------ | ----- |
+| `server_url` | `nil`| String | Required | The base url where your Keycloak server is located. This value can be retrieved in your Keycloak client configuration. | `auth:8080` |
+| `realm_id` | `nil`| String | Required | Realm's name (not id, actually) | `master` |
+| `logger` | `Logger.new(STDOUT)`| Logger | Optional | The logger used by `keycloak-api-rails` | `Rails.logger` | 
+| `skip_paths` | `{}`| Hash of methods and paths regexp | Optional | Paths whose the token must not be validatefd | `{ get: [/^\/health\/.+/] }`| 
+| `token_expiration_tolerance_in_seconds` | `10`| Logger | Optional | Number of seconds a token can expire before being rejected by the API. | `15` | 
+| `public_key_cache_ttl` | `86400`| Integer | Optional | Amount of time, in seconds, specifying maximum interval between two requests to {project_name} to retrieve new public keys. It is 86400 seconds (1 day) by default. At least once per this configured interval (1 day by default) will be new public key always downloaded. | `Rails.logger` | 
+
+## Configure it 
+
+Create a `keycloak.rb` file in your Rails `config/initializers` folder. For instance:
+
+```
+Keycloak.configure do |config|
+  config.server_url = ENV["KEYCLOAK_SERVER_URL"]
+  config.realm_id   = ENV["KEYCLOAK_REALM_ID"]
+  config.logger     = Rails.logger
+  config.skip_paths = {
+    post:   [/^\/message/],
+    get:    [/^\/locales/, /^\/health\/.+/]
+  }
+end
+```
+
+## Use cases
+
+Once this gem is configured in your Rails project, you can read, validate and use tokens in your controllers.
+
+### Keycloak Id
+
+If you identify users using their Keycloak Id, this value can be read from your controllers using `Keycloak::Helper.current_user_id(request.env)`. 
+
+```ruby
+class AuthenticatedController < ApplicationController
+
+  def user
+    keycloak_id = Keycloak::Helper.current_user_id(request.env)
+    User.active.find_by(keycloak_id: keycloak_id)
+  end
+end
+```
+
+### Roles
+
+`Keycloak::Helper.current_user_roles` can be use against a Rails request to read user's roles.
+
+For example, a controller can require users to be administrator (considering you defined an `application-admin` role):
+
+```ruby
+class AdminController < ApplicationController
+
+  before_action :require_to_be_admin!
+
+  def require_to_be_admin!
+    if !current_user_roles.include?("application-admin")
+      render(json: { reason: "admin", message: "You have to be an administrator to access that endpoint." }, status: :forbidden)
+    end
+  end
+
+  private
+
+  def current_user_roles
+    Keycloak::Helper.current_user_roles(request.env)
+  end
+end
+```
+
+### Create an URL where the token must be passed via query string
+
+`Keycloak::Helper.create_url_with_token` method can be used to build an url from another, by adding a token as query string.
+
+```ruby
+def example
+  Keycloak::Helper.create_url_with_token("https://api.pouet.io/api/more-pouets", "myToken")
+end
+```
+
+This should output `https://api.pouet.io/api/more-pouets?authorizationToken=myToken`.
+
+
+### Accessing Keycloak Service
+
+A lazy-loaded service Keycloak::Service can be accessed using `Keycloak.service`.
+For instance, to read a provided token:
+```ruby
+class RenderTokenController < ApplicationController
+  def show
+    uri     = request.env["REQUEST_URI"]
+    headers = request.env
+    token   = Keycloak.service.read_token(uri, headers)
+    render json: { token: token }, status: :ok
+  end
+end
+```
+
+## Writing integration tests
+
+If you want to write controller tests in your codebase and that Keycloak is configured for these controllers, here is how to mock it.
+These lines are based on tests written using `rspec`.
+
+* First, create a private key. This key should be created once per test suite for performance matters.
+```ruby
+config.before(:suite) do
+  $private_key = OpenSSL::PKey::RSA.generate(1024)
+end
+```
+* Then, in a `shared_context`, configure a lazy token based on your main user. (here, we assume you have a `user` variable with a `keycloak_id` property)
+```ruby
+let(:jwt) do
+  claims = {
+    iat: Time.zone.now.to_i,
+    exp: (Time.zone.now + 1.day).to_i,
+    sub: user.keycloak_id,
+  }
+  token = JSON::JWT.new(claims)
+  token.kid = "default"
+  token.sign($private_key, :RS256).to_s
+end
+```
+* Finally, in the same `shared_context`, stub `Keycloak.public_key_resolver` to use a valid public key that is able to validate `jwt`:
+```ruby
+before(:each) do
+  public_key_resolver = Keycloak.public_key_resolver
+  allow(public_key_resolver).to receive(:find_public_keys) { JSON::JWK::Set.new(JSON::JWK.new($private_key, kid: "default")) }
+end
+```
+
+## How to execute library tests
+
+From the `keycloak-rails-api` directory:
+
+```
+  $ docker build . -t keycloak-rails-api:test
+  $ docker run -v `pwd`:/usr/src/app/ keycloak-rails-api:test bundle exec rspec spec
+```

data/keycloak-api-rails.gemspec

@@ -0,0 +1,23 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+require "keycloak-api-rails/version"
+
+Gem::Specification.new do |spec|
+  spec.name        = "keycloak-api-rails"
+  spec.version     = Keycloak::VERSION
+  spec.authors     = ["Lorent Lempereur"]
+  spec.email       = ["lorent.lempereur.dev@gmail.com"]
+  spec.homepage    = "https://github.com/looorent/keycloak-api-rails"
+  spec.summary     = "Rails middleware that validates Authorization token emitted by Keycloak"
+  spec.description = "Rails middleware that validates Authorization token emitted by Keycloak"
+  spec.license     = "MIT"
+
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rails",    ">= 4.2"
+  spec.add_dependency "json-jwt", "~> 1.8",   ">= 1.8.3"
+  spec.add_development_dependency "rspec",   "3.7.0"
+  spec.add_development_dependency "timecop", "0.9.1"
+  spec.add_development_dependency "byebug", "9.1.0"
+end

data/lib/keycloak-api-rails.rb

@@ -0,0 +1,49 @@
+require "logger"
+require "json/jwt"
+require "uri"
+require "date"
+
+require_relative "keycloak-api-rails/configuration"
+require_relative "keycloak-api-rails/token_error"
+require_relative "keycloak-api-rails/helper"
+require_relative "keycloak-api-rails/public_key_resolver"
+require_relative "keycloak-api-rails/public_key_cached_resolver"
+require_relative "keycloak-api-rails/service"
+require_relative "keycloak-api-rails/middleware"
+require_relative "keycloak-api-rails/railtie" if defined?(Rails)
+
+module Keycloak
+
+  def self.configure
+    yield @configuration ||= Keycloak::Configuration.new
+  end
+
+  def self.config
+    @configuration
+  end
+
+  def self.public_key_resolver
+    @public_key_resolver ||= PublicKeyCachedResolver.from_configuration(config)
+  end
+
+  def self.service
+    @service ||= Keycloak::Service.new(public_key_resolver)
+  end
+
+  def self.logger
+    config.logger
+  end
+
+  def self.load_configuration
+    configure do |config|
+      config.server_url                             = nil
+      config.realm_id                               = nil
+      config.logger                                 = ::Logger.new(STDOUT)
+      config.skip_paths                             = {}
+      config.token_expiration_tolerance_in_seconds  = 10
+      config.public_key_cache_ttl                   = 86400
+    end
+  end
+
+  load_configuration
+end

data/lib/keycloak-api-rails/configuration.rb

@@ -0,0 +1,11 @@
+module Keycloak
+  class Configuration
+    include ActiveSupport::Configurable
+    config_accessor :server_url
+    config_accessor :realm_id
+    config_accessor :skip_paths
+    config_accessor :token_expiration_tolerance_in_seconds
+    config_accessor :public_key_cache_ttl
+    config_accessor :logger
+  end
+end

data/lib/keycloak-api-rails/helper.rb

@@ -0,0 +1,43 @@
+module Keycloak
+  class Helper
+    
+    CURRENT_USER_ID_KEY    = "keycloak:keycloak_id"
+    ROLES_KEY              = "keycloak:roles"
+    QUERY_STRING_TOKEN_KEY = "authorizationToken"
+
+    def self.current_user_id(env)
+      env[CURRENT_USER_ID_KEY]
+    end
+
+    def self.assign_current_user_id(env, token)
+      env[CURRENT_USER_ID_KEY] = token["sub"]
+    end
+
+    def self.current_user_roles(env)
+      env[ROLES_KEY]
+    end
+
+    def self.assign_realm_roles(env, token)
+      env[ROLES_KEY] = token.dig("realm_access", "roles")
+    end
+
+    def self.read_token_from_query_string(uri)
+      parsed_uri         = URI.parse(uri)
+      query              = URI.decode_www_form(parsed_uri.query || "")
+      query_string_token = query.detect { |param| param.first == QUERY_STRING_TOKEN_KEY }
+      query_string_token&.second
+    end
+
+    def self.create_url_with_token(uri, token)
+      uri       = URI(uri)
+      params    = URI.decode_www_form(uri.query || "").reject { |query_string| query_string.first == QUERY_STRING_TOKEN_KEY }
+      params    << [QUERY_STRING_TOKEN_KEY, token]
+      uri.query = URI.encode_www_form(params)
+      uri.to_s
+    end
+
+    def self.read_token_from_headers(headers)
+      headers["HTTP_AUTHORIZATION"]&.gsub(/^Bearer /, "") || ""
+    end
+  end
+end

data/lib/keycloak-api-rails/middleware.rb

@@ -0,0 +1,45 @@
+module Keycloak
+
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      method = env["REQUEST_METHOD"]
+      path   = env["PATH_INFO"]
+      uri    = env["REQUEST_URI"]
+      
+      if service.need_authentication?(method, path, env)
+        logger.debug("Start authentication for #{method} : #{path}")
+        token         = service.read_token(uri, env)
+        decoded_token = service.decode_and_verify(token)
+        authentication_succeeded(env, decoded_token)
+      else
+        logger.debug("Skip authentication for #{method} : #{path}")
+        @app.call(env)
+      end
+    rescue TokenError => e
+      authentication_failed(e.message)
+    end
+
+    def authentication_failed(message)
+      logger.warn(message)
+      [401, {"Content-Type" => "application/json"}, [ { error: message }.to_json]]
+    end
+
+    def authentication_succeeded(env, decoded_token)
+      Helper.assign_current_user_id(env, decoded_token)
+      Helper.assign_realm_roles(env, decoded_token)
+      @app.call(env)
+    end
+
+    def service
+      Keycloak.service
+    end
+
+    def logger
+      Keycloak.logger
+    end
+  end
+end

data/lib/keycloak-api-rails/public_key_cached_resolver.rb

@@ -0,0 +1,30 @@
+module Keycloak
+  class PublicKeyCachedResolver
+    attr_reader :cached_public_key_retrieved_at
+
+    def initialize(server_url, realm_id, public_key_cache_ttl)
+      @resolver                       = PublicKeyResolver.new(server_url, realm_id)
+      @public_key_cache_ttl           = public_key_cache_ttl
+      @cached_public_keys             = nil
+      @cached_public_key_retrieved_at = nil
+    end
+
+    def self.from_configuration(configuration)
+      PublicKeyCachedResolver.new(configuration.server_url, configuration.realm_id, configuration.public_key_cache_ttl)
+    end
+
+    def find_public_keys
+      if public_keys_are_outdated?
+        @cached_public_keys             = @resolver.find_public_keys
+        @cached_public_key_retrieved_at = Time.now
+      end
+      @cached_public_keys
+    end
+
+    private
+
+    def public_keys_are_outdated?
+      @cached_public_keys.nil? || @cached_public_key_retrieved_at.nil? || Time.now > (@cached_public_key_retrieved_at + @public_key_cache_ttl.seconds)
+    end
+  end
+end

data/lib/keycloak-api-rails/public_key_resolver.rb

@@ -0,0 +1,21 @@
+module Keycloak
+  class PublicKeyResolver
+    def initialize(server_url, realm_id)
+      @public_certificate_url = create_public_certificate_url(server_url, realm_id)
+    end
+
+    def find_public_keys
+      JSON::JWK::Set.new(JSON.parse(RestClient.get(@public_certificate_url).body)["keys"])
+    end
+
+    private
+
+    def create_realm_url(server_url, realm_id)
+      "#{server_url}/realms/#{realm_id}"
+    end
+
+    def create_public_certificate_url(server_url, realm_id)
+      "#{create_realm_url(server_url, realm_id)}/protocol/openid-connect/certs"
+    end
+  end
+end

data/lib/keycloak-api-rails/railtie.rb

@@ -0,0 +1,9 @@
+module Keycloak
+  class Railtie < Rails::Railtie
+    railtie_name :keycloak_api_rails
+
+    initializer("keycloak.insert_middleware") do |app|
+      app.config.middleware.use(Keycloak::Middleware)
+    end
+  end
+end

data/lib/keycloak-api-rails/service.rb

@@ -0,0 +1,59 @@
+module Keycloak
+  class Service
+    
+    def initialize(key_resolver)
+      @key_resolver                          = key_resolver
+      @skip_paths                            = Keycloak.config.skip_paths
+      @logger                                = Keycloak.config.logger
+      @token_expiration_tolerance_in_seconds = Keycloak.config.token_expiration_tolerance_in_seconds
+    end
+
+    def decode_and_verify(token)
+      unless token.nil? || token&.empty?
+        public_key    = @key_resolver.find_public_keys
+        decoded_token = JSON::JWT.decode(token, public_key)
+
+        unless expired?(decoded_token)
+          decoded_token.verify!(public_key)
+          decoded_token
+        else
+          raise TokenError.expired(token)
+        end
+      else
+        raise TokenError.no_token(token)
+      end
+    rescue JSON::JWT::VerificationFailed => e
+      raise TokenError.verification_failed(token, e)
+    rescue JSON::JWK::Set::KidNotFound => e
+      raise TokenError.verification_failed(token, e)
+    rescue JSON::JWT::InvalidFormat
+      raise TokenError.invalid_format(token, e)
+    end
+
+    def read_token(uri, headers)
+      Helper.read_token_from_query_string(uri) || Helper.read_token_from_headers(headers)
+    end
+
+    def need_authentication?(method, path, headers)
+      !should_skip?(method, path) && !is_preflight?(method, headers)
+    end
+
+    private
+
+    def should_skip?(method, path)
+      method_symbol = method&.downcase&.to_sym
+      skip_paths    = @skip_paths[method_symbol]
+      !skip_paths.nil? && !skip_paths.empty? && !skip_paths.find_index { |skip_path| skip_path.match(path) }.nil?
+    end
+
+    def is_preflight?(method, headers)
+      method_symbol = method&.downcase&.to_sym
+      method_symbol == :options && !headers["HTTP_ACCESS_CONTROL_REQUEST_METHOD"].nil?
+    end
+
+    def expired?(token)
+      token_expiration = Time.at(token["exp"]).to_datetime
+      token_expiration < Time.now + @token_expiration_tolerance_in_seconds.seconds
+    end
+  end
+end

data/lib/keycloak-api-rails/token_error.rb

@@ -0,0 +1,30 @@
+class TokenError < StandardError
+  attr_reader :token, :reason, :original_error
+
+  def initialize(token, reason, message, original_error)
+    super(message)
+    @token          = token
+    @reason         = reason
+    @original_error = original_error
+  end
+
+  def self.verification_failed(token, original_error)
+    TokenError.new(token, :verification_failed, "Failed to verify JWT token", original_error)
+  end
+
+  def self.invalid_format(token, original_error)
+    TokenError.new(token, :invalid_format, "Wrong JWT Format", original_error)
+  end
+
+  def self.no_token(token)
+    TokenError.new(token, :no_token, "No JWT token provided", nil)
+  end
+
+  def self.expired(token)
+    TokenError.new(token, :expired, "JWT token is expired", nil)
+  end
+
+  def self.unknown(token)
+    TokenError.new
+  end
+end

data/lib/keycloak-api-rails/version.rb

@@ -0,0 +1,3 @@
+module Keycloak
+  VERSION = "0.6"
+end

data/spec/keycloak-api-rails/helper_spec.rb

@@ -0,0 +1,33 @@
+RSpec.describe Keycloak::Helper do
+  describe "#create_url_with_token" do
+
+    let(:uri)   { "http://www.an-url.io" }
+    let(:token) { "aToken" }
+
+    before(:each) do
+      @url_with_token = Keycloak::Helper.create_url_with_token(uri, token)
+    end
+
+    context "when the uri has no query string yet" do
+      it "returns an url with the provided token" do
+        expect(@url_with_token).to eq "#{uri}?authorizationToken=#{token}"
+      end
+    end
+
+    context "when the uri already has no query strings" do
+      context "but no token yet" do
+        let(:uri)   { "http://www.an-url.io?firstName=ouioui&lastName=nonnon" }
+        it "returns an url with all the query string and the token" do
+          expect(@url_with_token).to eq "#{uri}&authorizationToken=#{token}"
+        end
+      end
+
+      context "including a token" do
+        let(:uri)   { "http://www.an-url.io?authorizationToken=ouioui&lastName=nonnon" }
+        it "returns an url with all the query string and the new token" do
+          expect(@url_with_token).to eq "http://www.an-url.io?lastName=nonnon&authorizationToken=#{token}"
+        end
+      end
+    end
+  end
+end

data/spec/keycloak-api-rails/public_key_cached_resolver_spec.rb

@@ -0,0 +1,80 @@
+RSpec.describe Keycloak::Service do
+
+  let(:public_key_cache_ttl)  { 86400 }
+  let(:server_url)            { "whatever:8080" }
+  let(:realm_id)              { "pouet" }
+  let!(:resolver)             { Keycloak::PublicKeyCachedResolver.new(server_url, realm_id, public_key_cache_ttl) }
+
+  before(:each) do
+    resolver.instance_variable_set(:@resolver, Keycloak::PublicKeyResolverStub.new)
+    now = Time.local(2018, 1, 9, 12, 0, 0)
+    Timecop.freeze(now)
+  end
+
+  after(:each) do
+    Timecop.return
+  end
+
+  describe "#find_public_key" do
+    context "when there is no public key in cache yet" do
+      before(:each) do
+        @public_key = resolver.find_public_keys
+      end
+
+      it "returns a valid public key" do
+        expect(@public_key).to_not be_nil
+      end
+
+      it "sets the current time to the resolver" do
+        expect(resolver.cached_public_key_retrieved_at).to eq Time.now
+      end
+    end
+
+    context "when there is already a public key in cache" do
+      before(:each) do
+        @first_public_key                     = resolver.find_public_keys
+        @first_cached_public_key_retrieved_at = resolver.cached_public_key_retrieved_at
+      end
+
+      context "and no need to refresh it" do
+        before(:each) do
+          Timecop.freeze(Time.now + public_key_cache_ttl.seconds - 10.seconds)
+          @second_public_key                     = resolver.find_public_keys
+          @second_cached_public_key_retrieved_at = resolver.cached_public_key_retrieved_at
+        end
+
+        it "returns a valid public key" do
+          expect(@second_public_key).to_not be_nil
+        end
+
+        it "does not refresh the public key" do
+          expect(@second_public_key).to eq @first_public_key
+        end
+
+        it "does not refresh the public key retrieval time" do
+          expect(@first_cached_public_key_retrieved_at).to eq @second_cached_public_key_retrieved_at
+        end
+      end
+
+      context "and its TTL has expired" do
+        before(:each) do
+          Timecop.freeze(Time.now + public_key_cache_ttl.seconds + 10.seconds)
+          @second_public_key                     = resolver.find_public_keys
+          @second_cached_public_key_retrieved_at = resolver.cached_public_key_retrieved_at
+        end
+
+        it "returns a valid public key" do
+          expect(@second_public_key).to_not be_nil
+        end
+
+        it "refreshes the public key" do
+          expect(@second_public_key).to_not eq @first_public_key
+        end
+
+        it "refreshes the public key retrieval time" do
+          expect(@first_cached_public_key_retrieved_at).to_not eq @second_cached_public_key_retrieved_at
+        end
+      end
+    end
+  end
+end

data/spec/keycloak-api-rails/service_spec.rb

@@ -0,0 +1,234 @@
+RSpec.describe Keycloak::Service do
+
+  let!(:private_key)  { OpenSSL::PKey::RSA.generate(2048) }
+  let!(:public_key)   { private_key.public_key }
+  let!(:key_resolver)  { Keycloak::PublicKeyCachedResolverStub.new(public_key) }
+  let!(:service)       { Keycloak::Service.new(key_resolver) }
+  
+  before(:each) do
+    now = Time.local(2018, 1, 9, 12, 0, 0)
+    Timecop.freeze(now)
+  end
+
+  after(:each) do
+    Timecop.return
+  end
+
+  describe "#decode_and_verify" do
+    def create_token(private_key, expiration_date, algorithm)
+      claim = {
+        iss: "Keycloak",
+        exp: expiration_date,
+        nbf: Time.local(2018, 1, 1, 0, 0, 0)
+      }
+      jws = JSON::JWT.new(claim).sign(private_key, algorithm)
+      jws.to_s
+    end
+
+    context "when token is nil" do
+      let(:token) { nil }
+      it "should raise an error :no_token" do
+        expect {
+          service.decode_and_verify(token)
+        }.to raise_error(TokenError, "No JWT token provided")
+      end
+    end
+
+    context "when token is an empty string" do
+      let(:token) { "" }
+      it "should raise an error :no_token" do
+        expect {
+          service.decode_and_verify(token)
+        }.to raise_error(TokenError, "No JWT token provided")
+      end
+    end
+
+    context "when token is in an invalid format" do
+      let(:token) { "coucou" }
+      it "should raise an error :invalid_format" do
+        expect {
+          service.decode_and_verify(token)
+        }.to raise_error(TokenError, "Wrong JWT Format")
+      end
+    end
+
+    context "when token is in a valid format" do
+      let(:algorithm)       { :RS256 }
+      let(:expiration_date) { 1.week.from_now }
+
+      context "and token is generated by another private key" do
+        let(:another_private_key)  { OpenSSL::PKey::RSA.generate(1024) }
+        let(:token)                { create_token(another_private_key, expiration_date, algorithm) }
+        
+        it "should raise an error :verification_failed" do
+          expect {
+            service.decode_and_verify(token)
+          }.to raise_error(TokenError, "Failed to verify JWT token")
+        end
+      end
+
+      context "and token is generated by the right private key" do
+        let(:token) { create_token(private_key, expiration_date, algorithm) }
+        
+        context "and token is expired" do
+          let(:expiration_date) { Time.now - 2.days }
+          
+          it "should raise an error :expiration_date" do
+            expect {
+              service.decode_and_verify(token)
+            }.to raise_error(TokenError, "JWT token is expired")
+          end
+        end
+
+        context "and token is not expired" do
+          let(:expiration_date) { Time.now + 2.days }
+          
+          context "and token is encrypted using RS256" do
+            let(:algorithm) { :RS256 }
+            
+            it "should return a not-nil decoded token" do
+              expect(service.decode_and_verify(token)).to_not be_nil
+            end
+          end
+
+          context "and token is encrypted using RS512" do
+            let(:algorithm) { :RS512 }
+            
+            it "should return a not-nil decoded token" do
+              expect(service.decode_and_verify(token)).to_not be_nil
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe "#need_authentication?" do
+
+    let(:method)  { nil }
+    let(:path)    { nil }
+    let(:headers) { {} }
+
+
+    before(:each) do
+      Keycloak.config.skip_paths = {
+        post:   [/^\/skip/],
+        get:    [/^\/skip/]
+      }
+      @result = service.need_authentication?(method, path, headers)
+    end
+
+    context "when method is nil" do
+      let(:method) { nil }
+      let(:path)   { "/do-not-skip" }
+      it "should return true" do
+        expect(@result).to be true
+      end
+    end
+
+    context "when path is nil" do
+      let(:method) { :get }
+      let(:path)   { nil }
+      it "should return true" do
+        expect(@result).to be true
+      end
+    end
+
+    context "when method does not match the configuration" do
+      let(:method) { :put }
+      let(:path)   { "/skip" }
+      it "should return true" do
+        expect(@result).to be true
+      end
+    end
+
+    context "when path does not match the configuration" do
+      let(:method) { :get }
+      let(:path)   { "/do-not-skip" }
+      it "should return true" do
+        expect(@result).to be true
+      end
+    end
+
+    context "when method [get] and path do match the configuration" do
+      let(:method) { :get }
+      let(:path)   { "/skip" }
+      it "should return false" do
+        expect(@result).to be false
+      end
+    end
+
+
+    context "when method [post] and path do match the configuration" do
+      let(:method) { :get }
+      let(:path)   { "/skip" }
+      it "should return false" do
+        expect(@result).to be false
+      end
+    end
+
+    context "when the request is preflight" do
+      let(:method)  { :options }
+      let(:headers) { { "HTTP_ACCESS_CONTROL_REQUEST_METHOD" => ["Authorization"] } }
+      let(:path)    { "/do-not-skip" }
+      it "should return false" do
+        expect(@result).to be false
+      end
+    end
+  end
+
+  describe "#read_token" do
+    let(:query_string)       { "" }
+    let(:url)                { "http://api.service.com/api/health?aParameter=true#{query_string}" }
+    let(:headers)            { {} }
+    let(:header_token)       { "header_token" }
+    let(:query_string_token) { "query_string_token" }
+
+    before(:each) do
+      @token = service.read_token(url, headers)
+    end
+
+    context "when the token is provided in the Authorization headers" do
+      let(:headers) do
+        {
+          "HTTP_AUTHORIZATION" => "Bearer #{header_token}"
+        }
+      end
+      context "and not in the query string" do
+        let(:query_string) { "" }
+        it "returns the header token" do
+          expect(@token).to eq header_token
+        end
+      end
+
+      context "and also in the query string" do
+        let(:query_string) { "&authorizationToken=#{query_string_token}" }
+        it "returns the query string token" do
+          expect(@token).to eq query_string_token
+        end
+      end
+    end
+
+    context "when the token is not provided in the Authorization headers" do
+      let(:headers) do
+        {
+          "ANOTHER_HEADER" => header_token
+        }
+      end
+
+      context "and not in the query string" do
+        let(:query_string) { "" }
+        it "returns an empty token" do
+          expect(@token).to eq ""
+        end
+      end
+
+      context "but in the query string" do
+        let(:query_string) { "&authorizationToken=#{query_string_token}" }
+        it "returns the query string token" do
+          expect(@token).to eq query_string_token
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,14 @@
+require_relative "../lib/keycloak-api-rails"
+require_relative "support/rails_helper"
+require_relative "support/public_key_cached_resolver_stub"
+require_relative "support/public_key_resolver_stub"
+require "timecop"
+require "byebug"
+
+RSpec.configure do |config|
+  config.include RailsHelper
+  
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+end

data/spec/support/public_key_cached_resolver_stub.rb

@@ -0,0 +1,11 @@
+module Keycloak
+  class PublicKeyCachedResolverStub
+    def initialize(public_key)
+      @public_key = public_key
+    end
+
+    def find_public_keys
+      @public_key
+    end
+  end
+end

data/spec/support/public_key_resolver_stub.rb

@@ -0,0 +1,7 @@
+module Keycloak
+  class PublicKeyResolverStub
+    def find_public_keys
+      OpenSSL::PKey::RSA.generate(1024).public_key
+    end
+  end
+end

data/spec/support/rails_helper.rb

@@ -0,0 +1,4 @@
+require "rails/all"
+
+module RailsHelper
+end

metadata

@@ -0,0 +1,145 @@
+--- !ruby/object:Gem::Specification
+name: keycloak-api-rails
+version: !ruby/object:Gem::Version
+  version: '0.6'
+platform: ruby
+authors:
+- Lorent Lempereur
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-01-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.7.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.7.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 9.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 9.1.0
+description: Rails middleware that validates Authorization token emitted by Keycloak
+email:
+- lorent.lempereur.dev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Dockerfile
+- Gemfile
+- Gemfile.lock
+- MIT-LICENSE
+- README.md
+- keycloak-api-rails.gemspec
+- lib/keycloak-api-rails.rb
+- lib/keycloak-api-rails/configuration.rb
+- lib/keycloak-api-rails/helper.rb
+- lib/keycloak-api-rails/middleware.rb
+- lib/keycloak-api-rails/public_key_cached_resolver.rb
+- lib/keycloak-api-rails/public_key_resolver.rb
+- lib/keycloak-api-rails/railtie.rb
+- lib/keycloak-api-rails/service.rb
+- lib/keycloak-api-rails/token_error.rb
+- lib/keycloak-api-rails/version.rb
+- spec/keycloak-api-rails/helper_spec.rb
+- spec/keycloak-api-rails/public_key_cached_resolver_spec.rb
+- spec/keycloak-api-rails/service_spec.rb
+- spec/spec_helper.rb
+- spec/support/public_key_cached_resolver_stub.rb
+- spec/support/public_key_resolver_stub.rb
+- spec/support/rails_helper.rb
+homepage: https://github.com/looorent/keycloak-api-rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.4
+signing_key: 
+specification_version: 4
+summary: Rails middleware that validates Authorization token emitted by Keycloak
+test_files: []