keycloak_rack 1.0.0

data/spec/keycloak_rack/rails_integration_spec.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+RSpec.describe "Rails integration" do
+  include_context "with mocked keycloak"
+
+  before :context do
+    skip "Rails isn't tested in this environment" unless defined?(Rails)
+  end
+
+  describe "request specs", type: :request do
+    it "is unauthorized with header" do
+      expect do
+        get root_path
+      end.not_to raise_error
+
+      expect(response).to be_unauthorized
+    end
+
+    context "when a valid token is provided", type: :request do
+      let!(:token) { token_helper.build_token }
+
+      let!(:headers) do
+        {
+          "Authorization" => "Bearer #{token}",
+        }
+      end
+
+      def make_request!
+        get root_path, headers: headers
+      end
+
+      it "authenticates as expected" do
+        expect do
+          make_request!
+        end.not_to raise_error
+
+        expect(response).to be_ok
+
+        expect(response.body).to include_json keycloak_id: a_kind_of(String)
+      end
+    end
+  end
+end

data/spec/keycloak_rack/session_spec.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::Session do
+  let(:session) { FactoryBot.create :session }
+
+  subject { session }
+
+  context "with a session built from a valid token" do
+    it { is_expected.to be_authenticated }
+
+    it { is_expected.not_to be_anonymous }
+
+    it "can authorize realm roles" do
+      expect(session.authorize_realm!("foo")).to be_a_success
+    end
+
+    it "can authorize resource roles" do
+      expect(session.authorize_resource!("widgets", "bar")).to be_a_success
+    end
+  end
+
+  context "with an anonymous session" do
+    let(:session) { FactoryBot.create :session, :anonymous }
+
+    it { is_expected.to be_anonymous }
+
+    it { is_expected.not_to be_authenticated }
+
+    it "can authorize realm roles" do
+      expect(session.authorize_realm!("foo")).to be_a_failure
+    end
+
+    it "can authorize resource roles" do
+      expect(session.authorize_resource!("widgets", "bar")).to be_a_failure
+    end
+  end
+end

data/spec/keycloak_rack/skip_authentication_spec.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakRack::SkipAuthentication do
+  include Rack::Test::Methods
+  include_context "with mocked keycloak"
+
+  before do
+    KeycloakRack.configure do |c|
+      c.skip_paths = {
+        get: ["/ping"],
+        post: [%r{\A/foo.+bar}]
+      }
+    end
+  end
+
+  let(:skipper) { described_class.new }
+
+  let(:app) do
+    ->(env) do
+      result = skipper.call env
+
+      # We treat "skipped" as no content, allowed as ok, and anything else as server error
+
+      status = result.fmap { |x| x ? 204 : 200 }.value_or(500)
+
+      [status, {}, ["HTTP #{status}"]]
+    end
+  end
+
+  it "skips GET /ping" do
+    get "/ping"
+
+    expect(last_response).to be_no_content
+  end
+
+  it "skips POST /foo/baz/bar (with a regular expression)" do
+    post "/foo/baz/bar"
+
+    expect(last_response).to be_no_content
+  end
+
+  it "does not skip anything else" do
+    get "/anywhere/else"
+
+    expect(last_response).to be_ok
+  end
+
+  it "skips CORS preflight requests" do
+    header "Access-Control-Request-Method", "GET"
+
+    options "/anywhere/else"
+
+    expect(last_response).to be_no_content
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "simplecov"
+
+SimpleCov.start do
+  enable_coverage :branch
+
+  add_filter "spec"
+end
+
+require "anyway/testing/helpers"
+require "dry/container/stub"
+require "factory_bot"
+require "faker"
+require "pry"
+require "rack/test"
+require "rspec/json_expectations"
+require "timecop"
+require "webmock/rspec"
+
+begin
+  require_relative "./dummy/config/environment"
+  require "rspec/rails"
+rescue LoadError
+  # For appraisals with rails
+end
+
+require "keycloak_rack"
+
+Dir[File.join(__dir__, "support/**/*.rb")].sort.each { |f| require f }
+
+RSpec.configure do |config|
+  config.include Anyway::Testing::Helpers
+  config.include FactoryBot::Syntax::Methods
+
+  config.before(:suite) do
+    FactoryBot.find_definitions
+    KeycloakRack::Container.enable_stubs!
+    WebMock.disable_net_connect!
+  end
+
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+  # This allows you to limit a spec run to individual examples or groups
+  # you care about by tagging them with `:focus` metadata. When nothing
+  # is tagged with `:focus`, all examples get run. RSpec also provides
+  # aliases for `it`, `describe`, and `context` that include `:focus`
+  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
+  config.filter_run_when_matching :focus
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = "doc"
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+end

data/spec/support/contexts/mocked_keycloak.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require_relative "../token_helper"
+
+RSpec.shared_context "with mocked keycloak" do
+  let(:config_server_url) { "http://keycloak.example.com/auth" }
+  let(:config_realm_id) { "Test" }
+  let(:config_allow_anonymous) { false }
+  let(:config_halt_on_auth_failure) { true }
+  let(:config_cache_ttl) { 86_400 }
+  let(:config_skip_paths) { {} }
+  let(:mocked_config_env) do
+    {
+      "KEYCLOAK_SERVER_URL" => config_server_url,
+      "KEYCLOAK_REALM_ID" => config_realm_id,
+      "KEYCLOAK_CACHE_TTL" => config_cache_ttl,
+      "KEYCLOAK_ALLOW_ANONYMOUS" => config_allow_anonymous,
+      "KEYCLOAK_HALT_ON_AUTH_FAILURE" => config_halt_on_auth_failure
+    }
+  end
+
+  let(:token_helper) { TokenHelper.new }
+  let(:jwks_response) { token_helper.jwks.as_json }
+
+  let(:public_key_url) do
+    "#{config_server_url}/realms/#{config_realm_id}/protocol/openid-connect/certs"
+  end
+
+  let(:mocked_public_key_response) do
+    {
+      body: jwks_response.to_json,
+      status: 200
+    }
+  end
+
+  around do |example|
+    with_env(mocked_config_env.transform_values(&:to_s)) do
+      mocked_config = KeycloakRack::Config.new realm_id: config_realm_id
+
+      mocked_config.skip_paths = config_skip_paths
+
+      KeycloakRack::Container.stub("keycloak-rack.config", mocked_config)
+
+      resolver = KeycloakRack::KeyResolver.new
+
+      KeycloakRack::Container.stub("keycloak-rack.key_resolver", resolver)
+
+      example.run
+    end
+  ensure
+    KeycloakRack::Container.unstub("keycloak-rack.config")
+  end
+
+  before do
+    stub_request(:get, public_key_url).
+      to_return(mocked_public_key_response)
+  end
+
+  # @return [void]
+  def refresh_public_keys!
+    KeycloakRack::Container["keycloak-rack.key_resolver"].refresh!
+  end
+end

data/spec/support/contexts/mocked_rack_application.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+RSpec.shared_context "with mocked rack application" do
+  attr_reader :last_rack_environment
+
+  let(:base_app_implementation) do
+    ->(env) do
+      @last_rack_environment = env
+
+      state = env["keycloak:session"].authenticate! do |m|
+        m.success(:authenticated) do
+          "authenticated"
+        end
+
+        m.success do
+          "anonymous"
+        end
+
+        m.failure do
+          "failed"
+        end
+      end
+
+      response = {
+        "auth_state" => state
+      }
+
+      [
+        200,
+        { "Content-Type" => "application/json" },
+        [response.to_json]
+      ]
+    end
+  end
+
+  let(:rack_application) do
+    base_app_implementation.tap do |app|
+      allow(app).to receive(:call).and_call_original
+    end
+  end
+end

data/spec/support/test_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxFU3CRb04a2yy1rpACuj9+2HQu1RCw3MKmu2WZe3jicvth/r
+fOYFBi7xoi0SPvur0oyVFffHhphGpNE0InL0EWIT9a1oSpwZdc+e3KqaZkO3c3b9
+sHXPfJ8Sjhf/N50RHpb2sjz0qJ6mV4SyYgyBvnF1/iXFerFIgyTwmIXno2suIS7S
+gu5EYxE/jR99Q8E1bvDXqhrfkAv0G1Ae5c2Wxg4qK7qu8ny+OXRQA921WNxBpToS
+VHBCAhc4ga5tSxQ8Ll26ShLwD9SdKuYDZIndV1ubk01l7vrf6JY2tMJqFFu3Cqh3
+Q19WptxcyIaEp/J4CDyTGpyNq9OuThIKWTveqQIDAQABAoIBAGIJPysNyIfsaUw7
+//7yy7SgahtUT1Satik0keCY7rJQBPYHaFp8rWOSC1x07xh+KSVAx60phftCjHv+
+bu8IwbDwbZEO3vXqjpgSbXw4wFJyW+ePMkxr94h+EhDcELffeU3yCgukfnK4jc1D
+2KM3JY5IL6gRilOitNevmWg/7RPfLugcxFM3a2dfAJ0kO9xUTr5Box/us8dqgk2G
+rJNXqGYg5RpGsBcD08U2xMQCfNoz5OhTKCKkiXFi7bmqqnVVx7O20+afLd980T4J
+AVPF0C/1NW/K7gjztorEP0uMGmmiWVfJ/tCW5okThMo37ZXT+PdLT5K0e20MLZXc
+7trqNGUCgYEA+pOUPW/HpVQaA0yGfH4AjbUPRbunXhb959imWS9qRX2mySOxkXa+
+u+I0MqKDY75ksrvkrfWfdAe9Bb0aY2Y8wERKk0U1B4UJgupQjSGRU90wu8oHnpMR
+GWZYR54WEBUUG2N7MiMd8eOChE0a4M4m27nn12pIxKLYmBSQT6BMSscCgYEAyJUT
+vuc8YSCUVw9QwH8Ij7yxwRso3vo63eEDA30bm7XVjZSoxmMT457ZFs+W2DZOat7J
+uId9H7H1Ipf0Q/hZj4mttbXnOK5hrWBNn2c8cF4wrvLdBIKxToz79s2tCE5cpsSi
+fUv0pLri5MoUoQNUcq/Q7a0WljbZSZqvVpubmw8CgYEA6FPE8mGdnjCoHb7qQqsh
+IEJr8p/WwmpW6Iv7UF2iDuQ9q+ioTtLmbZWCCCCd6fExtHZ5xMEkIpS6MYPv35F/
+alTnQDy+ukYjV3qhTPl+oV9IPBVJk0GQbRhzaZOtqSOiDPLj2sysiwYCkWBcN2ts
+o/VufFBTP94tLHSEiQ97LSkCgYEAk9IZrTTosIO8DrUAw/xaqONc9H05j6pFu8LZ
+37ZRpF1LNn36K8pUnAky37a46jqLbAMoEk/3jGYvzADESVs7VacXV7To5ELPRWCV
+lAYW6pDfu+7Lp0lRthv8jJRjEp39dgGv5jsV3ljEYevza/3yPFsJ1D8dSDK/y5it
+41vmP00CgYBFuydMDA2s9kLS5L8S0sLcinHJobjrCc4VsX8RApMHnrltl7O698Zt
+6H72ovCXgsL07JztfWyIVPH1Z2BDzJE8tjc6FrZP/EvmOsdHcW97uBkap41mNGDR
+/THOPW/BFimtXDch2f2Ja5sDf6nDNBmee8908cSrnObOaAzgQoDdeg==
+-----END RSA PRIVATE KEY-----

data/spec/support/token_helper.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+# @api private
+class TokenHelper
+  extend Dry::Initializer
+
+  ALGORITHM = "RS256"
+
+  option :pem_path, Dry::Types["coercible.string"], default: proc { "#{__dir__}/test_key.pem" }
+
+  def build_token(data: {}, issued_at: Time.current, expires_at: 3.hours.from_now, jti: SecureRandom.uuid, with_random_jwk: false)
+    enriched_data = FactoryBot.attributes_for(:token_payload, data)
+
+    payload = enriched_data.symbolize_keys.merge(
+      aud: "keycloak",
+      auth_time: issued_at.to_i,
+      exp: expires_at.to_i,
+      iat: issued_at.to_i,
+      jti: jti,
+      typ: "JWT",
+      azp: "keycloak",
+    )
+
+    jwk = with_random_jwk ? random_jwk : self.jwk
+
+    headers = {
+      kid: jwk.kid
+    }
+
+    JWT.encode payload, jwk.keypair, ALGORITHM, headers
+  end
+
+  # @return [(Hash, Hash)]
+  def decode_token(token, leeway: resolve_config(:token_leeway))
+    options = {
+      algorithms: [ALGORITHM],
+      leeway: leeway,
+      jwks: { keys: [jwk.export] },
+    }
+
+    JWT.decode token, nil, true, options
+  end
+
+  # @return [KeycloakRack::DecodedToken]
+  def build_decoded_token(**options)
+    leeway = options.delete(:leeway)
+
+    decode_options = { leeway: leeway }
+
+    token = build_token(**options)
+
+    payload, headers = decode_token token, **decode_options
+
+    KeycloakRack::DecodedToken.new payload.merge(original_payload: payload, headers: headers)
+  end
+
+  def jwk
+    @jwk ||= JWT::JWK.new rsa_key
+  end
+
+  def random_jwk
+    JWT::JWK.new OpenSSL::PKey::RSA.generate 2048
+  end
+
+  def jwks
+    @jwks ||= { keys: [jwk.export.reverse_merge(alg: ALGORITHM)] }
+  end
+
+  def resolve_config(value)
+    KeycloakRack::Container["keycloak-rack.config"].public_send(value)
+  end
+
+  def rsa_key
+    @rsa_key ||= OpenSSL::PKey::RSA.new File.read pem_path
+  end
+end