keycloak_rack 1.0.0

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json]
+end

data/spec/dummy/config/keycloak.yml

@@ -0,0 +1,12 @@
+default: &default
+  server_url: "http://keycloak.example.com/auth"
+  realm_id: Test
+
+development:
+  <<: *default
+
+test:
+  <<: *default
+
+production:
+  <<: *default

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,33 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# The following keys must be escaped otherwise they will not be retrieved by
+# the default I18n backend:
+#
+# true, false, on, off, yes, no
+#
+# Instead, surround them with single quotes.
+#
+# en:
+#   'true': 'foo'
+#
+# To learn more, please read the Rails Internationalization guide
+# available at https://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/dummy/config/routes.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Rails.application.routes.draw do
+  root to: "test#root"
+end

data/spec/dummy/public/robots.txt

@@ -0,0 +1 @@
+# See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file

data/spec/dummy/tmp/development_secret.txt

@@ -0,0 +1 @@
+e4c5defcf0e8aedd26fd7bfe2e676e81546b2979f29b2a19a37be9c8428533b3102527517380707731dea750778c92fdab1cd4707c6c616ff37fc5bedd535831

data/spec/factories/decoded_token.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :decoded_token, class: "KeycloakRack::DecodedToken" do
+    data { {} }
+    expires_at { 3.hours.from_now }
+    issued_at { Time.current }
+    leeway { 10 }
+
+    initialize_with do
+      TokenHelper.new.build_decoded_token(**attributes)
+    end
+
+    to_create do |instance|
+      instance
+    end
+  end
+end

data/spec/factories/session.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :session, class: "KeycloakRack::Session" do
+    token { FactoryBot.create :decoded_token }
+    skipped { false }
+    auth_result { Dry::Monads.Success token }
+
+    initialize_with do
+      KeycloakRack::Session.new(**attributes)
+    end
+
+    to_create do |instance|
+      instance
+    end
+
+    trait :anonymous do
+      token { nil }
+    end
+  end
+end

data/spec/factories/token_payload.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :token_payload, class: Hash do
+    transient do
+      realm_roles { ["foo"] }
+      widget_roles { ["bar"] }
+    end
+
+    aud { "keycloak" }
+    azp { "keycloak" }
+    nonce { SecureRandom.uuid }
+    session_state { SecureRandom.uuid }
+    allowed_origins { ["http://example.com"] }
+
+    sub { SecureRandom.uuid }
+    realm_access { { "roles" => Array(realm_roles) } }
+    resource_access do
+      { "widgets" => { "roles" => Array(widget_roles) } }
+    end
+    scope { "openid" }
+
+    email_verified { true }
+    given_name { Faker::Name.first_name }
+    family_name { Faker::Name.last_name }
+    name { "#{given_name} #{family_name}" }
+    preferred_username do
+      Faker::Internet.username specifier: "#{given_name}.#{family_name}"
+    end
+    email { Faker::Internet.safe_email name: name }
+
+    custom_attribute { "custom_value" }
+
+    initialize_with do
+      Hash(attributes).tap do |h|
+        h["allowed-origins"] = Array(h.delete("allowed_origins"))
+      end
+    end
+  end
+end

data/spec/keycloak_rack/authorize_realm_spec.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::AuthorizeRealm do
+  let(:session) { FactoryBot.create :session }
+
+  let(:instance) { session.authorize_realm }
+
+  it "works with an authorized realm role" do
+    expect(instance.call("foo")).to be_a_success
+  end
+
+  it "fails with an unauthorized realm role" do
+    expect(instance.call("bar")).to be_a_failure
+  end
+end

data/spec/keycloak_rack/authorize_resource_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::AuthorizeResource do
+  let(:session) { FactoryBot.create :session }
+
+  let(:instance) { session.authorize_resource }
+
+  it "works with an authorized widget role" do
+    expect(instance.call("widgets", "bar")).to be_a_success
+  end
+
+  it "fails with an unauthorized widget role" do
+    expect(instance.call("widgets", "baz")).to be_a_failure
+  end
+
+  it "fails with an unknown resource" do
+    expect(instance.call("unknown", "bar")).to be_a_failure
+  end
+end

data/spec/keycloak_rack/decoded_token_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::DecodedToken do
+  let(:instance) { FactoryBot.create :decoded_token }
+
+  describe "#fetch" do
+    it "can fetch aliases" do
+      expect(instance.fetch(:keycloak_id)).to eq instance.sub
+    end
+
+    it "can be used to get custom attributes" do
+      expect(instance.fetch(:custom_attribute)).to eq "custom_value"
+    end
+  end
+
+  describe "#slice" do
+    it "can slice attributes and aliases" do
+      expect(instance.slice(:email, :first_name)).to include_json(email: instance.email, first_name: instance.given_name)
+    end
+
+    it "can slice custom attributes" do
+      expect(instance.slice(:custom_attribute)).to include_json(custom_attribute: a_kind_of(String))
+    end
+
+    it "raises an error when trying to slice an unknown attribute" do
+      expect do
+        instance.slice(:heck)
+      end.to raise_error KeycloakRack::DecodedToken::UnknownAttribute
+    end
+  end
+end

data/spec/keycloak_rack/key_resolver_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::KeyResolver do
+  include_context "with mocked keycloak"
+
+  let(:cache_ttl) { config_cache_ttl }
+
+  let!(:resolver) { described_class.new }
+
+  let(:start_time) do
+    Time.local(2021, 4, 3, 0, 0).in_time_zone
+  end
+
+  subject { resolver }
+
+  def fetch_keys(at:)
+    Timecop.freeze at do
+      {
+        public_key:   resolver.find_public_keys,
+        retrieved_at: resolver.cached_public_key_retrieved_at,
+      }
+    end
+  end
+
+  describe "#find_public_key" do
+    context "when there is no public key in cache yet" do
+      let!(:public_key) do
+        Timecop.freeze start_time do
+          resolver.find_public_keys
+        end
+      end
+
+      it "returns a valid public key" do
+        expect(public_key).to be_a_success
+      end
+
+      it "sets the current time to the resolver" do
+        expect(resolver.cached_public_key_retrieved_at).to eq start_time
+      end
+    end
+
+    context "when there is already a public key in cache" do
+      let!(:first_fetch) do
+        fetch_keys at: start_time
+      end
+
+      let!(:first_public_key) { first_fetch[:public_key] }
+
+      let!(:first_retrieved_at) { first_fetch[:retrieved_at] }
+
+      context "with no need to refresh it" do
+        let(:almost_a_day_later) { start_time + cache_ttl.seconds - 10.seconds }
+
+        let!(:second_fetch) do
+          fetch_keys at: almost_a_day_later
+        end
+
+        let(:second_public_key) { second_fetch[:public_key] }
+        let(:second_retrieved_at) { second_fetch[:retrieved_at] }
+
+        it "returns a valid public key" do
+          expect(second_public_key).to be_a_success
+        end
+
+        it "does not refresh the public key" do
+          expect(second_public_key.value!).to be first_public_key.value!
+        end
+
+        it "does not refresh the public key retrieval time" do
+          expect(first_retrieved_at).to eq second_retrieved_at
+        end
+      end
+
+      context "when its TTL has expired" do
+        let(:over_a_day_later) { start_time + cache_ttl.seconds + 10.seconds }
+
+        let!(:second_fetch) { fetch_keys at: over_a_day_later }
+        let(:second_public_key) { second_fetch[:public_key] }
+        let(:second_retrieved_at) { second_fetch[:retrieved_at] }
+
+        it "returns a valid public key" do
+          expect(second_public_key).to be_a_success
+        end
+
+        it "refreshes the public key" do
+          expect(second_public_key.value!).not_to be first_public_key.value!
+        end
+
+        it "refreshes the public key retrieval time" do
+          expect(first_retrieved_at).not_to eq second_retrieved_at
+        end
+      end
+    end
+  end
+end

data/spec/keycloak_rack/middleware_spec.rb

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::Middleware do
+  include Rack::Test::Methods
+
+  include_context "with mocked keycloak"
+  include_context "with mocked rack application"
+
+  before do
+    refresh_public_keys!
+  end
+
+  let(:app) do
+    ra = rack_application
+
+    Rack::Builder.app do
+      use KeycloakRack::Middleware
+
+      run ra
+    end
+  end
+
+  it "fails with an invalid bearer token" do
+    header "Authorization", "Bearer whoops"
+
+    get ?/
+
+    expect(last_response).to be_bad_request
+  end
+
+  context "with an anonymous request" do
+    context "when unauthenticated requests are allowed" do
+      let(:config_allow_anonymous) { true }
+
+      it "works" do
+        get ?/
+
+        expect(last_response).to be_ok
+      end
+    end
+
+    context "when unauthenticated requests are forbidden" do
+      it "is unauthorized" do
+        get ?/
+
+        expect(last_response).to be_unauthorized
+      end
+    end
+  end
+
+  context "when the token's key id doesn't match expectations" do
+    let(:token) { token_helper.build_token with_random_jwk: true }
+
+    before do
+      header "Authorization", "Bearer #{token}"
+    end
+
+    it "fails" do
+      get ?/
+
+      expect(last_response).to be_bad_request
+    end
+  end
+
+  context "with a valid token" do
+    let(:expires_at) { 1.hour.from_now }
+
+    let(:token) { token_helper.build_token expires_at: expires_at }
+
+    let(:leeway_expires) { expires_at + 10 - 1.second }
+
+    let(:expected_partial_rack_environment) do
+      {
+        "keycloak:session" => a_kind_of(KeycloakRack::Session),
+        "keycloak:authorize_realm" => a_kind_of(KeycloakRack::AuthorizeRealm),
+        "keycloak:authorize_resource" => a_kind_of(KeycloakRack::AuthorizeResource),
+      }
+    end
+
+    before do
+      header "Authorization", "Bearer #{token}"
+    end
+
+    it "sets the expected keys in the rack environment" do
+      get ?/
+
+      expect(last_response).to be_ok
+
+      expect(last_rack_environment).to include_json(expected_partial_rack_environment)
+    end
+
+    it "fails when expired" do
+      Timecop.freeze(expires_at + 1.hour) do
+        get ?/
+      end
+
+      expect(last_response).to be_forbidden
+    end
+
+    it "honors leeway" do
+      Timecop.freeze(leeway_expires) do
+        get ?/
+      end
+
+      expect(last_response).to be_ok
+    end
+
+    context "when the keycloak server fails to provide a valid public key" do
+      context "when the server returns an error" do
+        let(:mocked_public_key_response) do
+          {
+            body: "Whoops",
+            status: 500
+          }
+        end
+
+        it "fails" do
+          get ?/
+
+          expect(last_response).to be_server_error
+        end
+      end
+
+      context "when the JSON is invalid" do
+        let(:mocked_public_key_response) do
+          {
+            body: "{ foo",
+            status: 200
+          }
+        end
+
+        it "fails" do
+          get ?/
+
+          expect(last_response).to be_server_error
+        end
+      end
+
+      context "when :alg is missing from the keys" do
+        let(:jwks_response) do
+          super().tap do |h|
+            h["keys"].each do |k|
+              k.delete("alg")
+            end
+          end
+        end
+
+        it "fails" do
+          get ?/
+
+          expect(last_response).to be_server_error
+        end
+      end
+    end
+  end
+
+  context "with a skip configuration" do
+    let(:config_skip_paths) do
+      {
+        get: %w[/ping]
+      }
+    end
+
+    it "skips authentication" do
+      get "/ping"
+
+      expect(last_response).to be_ok
+
+      expect(last_response.body).to match(/anonymous/)
+    end
+  end
+end