keycloak_rack 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/workflows/main.yml +68 -0
- data/.gitignore +8 -0
- data/.rspec +2 -0
- data/.rubocop.yml +220 -0
- data/.ruby-version +1 -0
- data/.yardopts +7 -0
- data/Appraisals +16 -0
- data/CHANGELOG.md +10 -0
- data/CODE_OF_CONDUCT.md +132 -0
- data/Gemfile +5 -0
- data/LICENSE +19 -0
- data/README.md +288 -0
- data/Rakefile +10 -0
- data/bin/appraisal +29 -0
- data/bin/console +6 -0
- data/bin/fix-appraisals +14 -0
- data/bin/rake +29 -0
- data/bin/rspec +29 -0
- data/bin/rubocop +29 -0
- data/bin/yard +29 -0
- data/bin/yardoc +29 -0
- data/bin/yri +29 -0
- data/gemfiles/rack_only.gemfile +5 -0
- data/gemfiles/rack_only.gemfile.lock +204 -0
- data/gemfiles/rails_6_0.gemfile +9 -0
- data/gemfiles/rails_6_0.gemfile.lock +323 -0
- data/gemfiles/rails_6_1.gemfile +9 -0
- data/gemfiles/rails_6_1.gemfile.lock +326 -0
- data/keycloak_rack.gemspec +56 -0
- data/lib/keycloak_rack.rb +59 -0
- data/lib/keycloak_rack/authenticate.rb +115 -0
- data/lib/keycloak_rack/authorize_realm.rb +53 -0
- data/lib/keycloak_rack/authorize_resource.rb +54 -0
- data/lib/keycloak_rack/config.rb +84 -0
- data/lib/keycloak_rack/container.rb +53 -0
- data/lib/keycloak_rack/decoded_token.rb +191 -0
- data/lib/keycloak_rack/flexible_struct.rb +20 -0
- data/lib/keycloak_rack/http_client.rb +86 -0
- data/lib/keycloak_rack/import.rb +9 -0
- data/lib/keycloak_rack/key_fetcher.rb +20 -0
- data/lib/keycloak_rack/key_resolver.rb +64 -0
- data/lib/keycloak_rack/middleware.rb +132 -0
- data/lib/keycloak_rack/railtie.rb +14 -0
- data/lib/keycloak_rack/read_token.rb +40 -0
- data/lib/keycloak_rack/resource_role_map.rb +8 -0
- data/lib/keycloak_rack/role_map.rb +15 -0
- data/lib/keycloak_rack/session.rb +44 -0
- data/lib/keycloak_rack/skip_authentication.rb +44 -0
- data/lib/keycloak_rack/types.rb +42 -0
- data/lib/keycloak_rack/version.rb +6 -0
- data/lib/keycloak_rack/with_config.rb +15 -0
- data/spec/dummy/.ruby-version +1 -0
- data/spec/dummy/README.md +24 -0
- data/spec/dummy/Rakefile +8 -0
- data/spec/dummy/app/controllers/application_controller.rb +22 -0
- data/spec/dummy/app/controllers/test_controller.rb +9 -0
- data/spec/dummy/config.ru +8 -0
- data/spec/dummy/config/application.rb +52 -0
- data/spec/dummy/config/boot.rb +3 -0
- data/spec/dummy/config/environment.rb +7 -0
- data/spec/dummy/config/environments/development.rb +51 -0
- data/spec/dummy/config/environments/test.rb +51 -0
- data/spec/dummy/config/initializers/application_controller_renderer.rb +9 -0
- data/spec/dummy/config/initializers/backtrace_silencers.rb +10 -0
- data/spec/dummy/config/initializers/cors.rb +17 -0
- data/spec/dummy/config/initializers/filter_parameter_logging.rb +8 -0
- data/spec/dummy/config/initializers/inflections.rb +17 -0
- data/spec/dummy/config/initializers/mime_types.rb +5 -0
- data/spec/dummy/config/initializers/wrap_parameters.rb +11 -0
- data/spec/dummy/config/keycloak.yml +12 -0
- data/spec/dummy/config/locales/en.yml +33 -0
- data/spec/dummy/config/routes.rb +5 -0
- data/spec/dummy/public/robots.txt +1 -0
- data/spec/dummy/tmp/development_secret.txt +1 -0
- data/spec/factories/decoded_token.rb +18 -0
- data/spec/factories/session.rb +21 -0
- data/spec/factories/token_payload.rb +40 -0
- data/spec/keycloak_rack/authorize_realm_spec.rb +15 -0
- data/spec/keycloak_rack/authorize_resource_spec.rb +19 -0
- data/spec/keycloak_rack/decoded_token_spec.rb +31 -0
- data/spec/keycloak_rack/key_resolver_spec.rb +95 -0
- data/spec/keycloak_rack/middleware_spec.rb +172 -0
- data/spec/keycloak_rack/rails_integration_spec.rb +43 -0
- data/spec/keycloak_rack/session_spec.rb +37 -0
- data/spec/keycloak_rack/skip_authentication_spec.rb +55 -0
- data/spec/spec_helper.rb +101 -0
- data/spec/support/contexts/mocked_keycloak.rb +63 -0
- data/spec/support/contexts/mocked_rack_application.rb +41 -0
- data/spec/support/test_key.pem +27 -0
- data/spec/support/token_helper.rb +76 -0
- metadata +616 -0
@@ -0,0 +1,43 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.describe "Rails integration" do
|
4
|
+
include_context "with mocked keycloak"
|
5
|
+
|
6
|
+
before :context do
|
7
|
+
skip "Rails isn't tested in this environment" unless defined?(Rails)
|
8
|
+
end
|
9
|
+
|
10
|
+
describe "request specs", type: :request do
|
11
|
+
it "is unauthorized with header" do
|
12
|
+
expect do
|
13
|
+
get root_path
|
14
|
+
end.not_to raise_error
|
15
|
+
|
16
|
+
expect(response).to be_unauthorized
|
17
|
+
end
|
18
|
+
|
19
|
+
context "when a valid token is provided", type: :request do
|
20
|
+
let!(:token) { token_helper.build_token }
|
21
|
+
|
22
|
+
let!(:headers) do
|
23
|
+
{
|
24
|
+
"Authorization" => "Bearer #{token}",
|
25
|
+
}
|
26
|
+
end
|
27
|
+
|
28
|
+
def make_request!
|
29
|
+
get root_path, headers: headers
|
30
|
+
end
|
31
|
+
|
32
|
+
it "authenticates as expected" do
|
33
|
+
expect do
|
34
|
+
make_request!
|
35
|
+
end.not_to raise_error
|
36
|
+
|
37
|
+
expect(response).to be_ok
|
38
|
+
|
39
|
+
expect(response.body).to include_json keycloak_id: a_kind_of(String)
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.describe KeycloakRack::Session do
|
4
|
+
let(:session) { FactoryBot.create :session }
|
5
|
+
|
6
|
+
subject { session }
|
7
|
+
|
8
|
+
context "with a session built from a valid token" do
|
9
|
+
it { is_expected.to be_authenticated }
|
10
|
+
|
11
|
+
it { is_expected.not_to be_anonymous }
|
12
|
+
|
13
|
+
it "can authorize realm roles" do
|
14
|
+
expect(session.authorize_realm!("foo")).to be_a_success
|
15
|
+
end
|
16
|
+
|
17
|
+
it "can authorize resource roles" do
|
18
|
+
expect(session.authorize_resource!("widgets", "bar")).to be_a_success
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
context "with an anonymous session" do
|
23
|
+
let(:session) { FactoryBot.create :session, :anonymous }
|
24
|
+
|
25
|
+
it { is_expected.to be_anonymous }
|
26
|
+
|
27
|
+
it { is_expected.not_to be_authenticated }
|
28
|
+
|
29
|
+
it "can authorize realm roles" do
|
30
|
+
expect(session.authorize_realm!("foo")).to be_a_failure
|
31
|
+
end
|
32
|
+
|
33
|
+
it "can authorize resource roles" do
|
34
|
+
expect(session.authorize_resource!("widgets", "bar")).to be_a_failure
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,55 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.describe KeycloakRack::SkipAuthentication do
|
4
|
+
include Rack::Test::Methods
|
5
|
+
include_context "with mocked keycloak"
|
6
|
+
|
7
|
+
before do
|
8
|
+
KeycloakRack.configure do |c|
|
9
|
+
c.skip_paths = {
|
10
|
+
get: ["/ping"],
|
11
|
+
post: [%r{\A/foo.+bar}]
|
12
|
+
}
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
let(:skipper) { described_class.new }
|
17
|
+
|
18
|
+
let(:app) do
|
19
|
+
->(env) do
|
20
|
+
result = skipper.call env
|
21
|
+
|
22
|
+
# We treat "skipped" as no content, allowed as ok, and anything else as server error
|
23
|
+
|
24
|
+
status = result.fmap { |x| x ? 204 : 200 }.value_or(500)
|
25
|
+
|
26
|
+
[status, {}, ["HTTP #{status}"]]
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
it "skips GET /ping" do
|
31
|
+
get "/ping"
|
32
|
+
|
33
|
+
expect(last_response).to be_no_content
|
34
|
+
end
|
35
|
+
|
36
|
+
it "skips POST /foo/baz/bar (with a regular expression)" do
|
37
|
+
post "/foo/baz/bar"
|
38
|
+
|
39
|
+
expect(last_response).to be_no_content
|
40
|
+
end
|
41
|
+
|
42
|
+
it "does not skip anything else" do
|
43
|
+
get "/anywhere/else"
|
44
|
+
|
45
|
+
expect(last_response).to be_ok
|
46
|
+
end
|
47
|
+
|
48
|
+
it "skips CORS preflight requests" do
|
49
|
+
header "Access-Control-Request-Method", "GET"
|
50
|
+
|
51
|
+
options "/anywhere/else"
|
52
|
+
|
53
|
+
expect(last_response).to be_no_content
|
54
|
+
end
|
55
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,101 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "simplecov"
|
4
|
+
|
5
|
+
SimpleCov.start do
|
6
|
+
enable_coverage :branch
|
7
|
+
|
8
|
+
add_filter "spec"
|
9
|
+
end
|
10
|
+
|
11
|
+
require "anyway/testing/helpers"
|
12
|
+
require "dry/container/stub"
|
13
|
+
require "factory_bot"
|
14
|
+
require "faker"
|
15
|
+
require "pry"
|
16
|
+
require "rack/test"
|
17
|
+
require "rspec/json_expectations"
|
18
|
+
require "timecop"
|
19
|
+
require "webmock/rspec"
|
20
|
+
|
21
|
+
begin
|
22
|
+
require_relative "./dummy/config/environment"
|
23
|
+
require "rspec/rails"
|
24
|
+
rescue LoadError
|
25
|
+
# For appraisals with rails
|
26
|
+
end
|
27
|
+
|
28
|
+
require "keycloak_rack"
|
29
|
+
|
30
|
+
Dir[File.join(__dir__, "support/**/*.rb")].sort.each { |f| require f }
|
31
|
+
|
32
|
+
RSpec.configure do |config|
|
33
|
+
config.include Anyway::Testing::Helpers
|
34
|
+
config.include FactoryBot::Syntax::Methods
|
35
|
+
|
36
|
+
config.before(:suite) do
|
37
|
+
FactoryBot.find_definitions
|
38
|
+
KeycloakRack::Container.enable_stubs!
|
39
|
+
WebMock.disable_net_connect!
|
40
|
+
end
|
41
|
+
|
42
|
+
config.expect_with :rspec do |expectations|
|
43
|
+
expectations.include_chain_clauses_in_custom_matcher_descriptions = true
|
44
|
+
end
|
45
|
+
|
46
|
+
config.mock_with :rspec do |mocks|
|
47
|
+
mocks.verify_partial_doubles = true
|
48
|
+
end
|
49
|
+
|
50
|
+
config.shared_context_metadata_behavior = :apply_to_host_groups
|
51
|
+
|
52
|
+
# This allows you to limit a spec run to individual examples or groups
|
53
|
+
# you care about by tagging them with `:focus` metadata. When nothing
|
54
|
+
# is tagged with `:focus`, all examples get run. RSpec also provides
|
55
|
+
# aliases for `it`, `describe`, and `context` that include `:focus`
|
56
|
+
# metadata: `fit`, `fdescribe` and `fcontext`, respectively.
|
57
|
+
config.filter_run_when_matching :focus
|
58
|
+
|
59
|
+
# Allows RSpec to persist some state between runs in order to support
|
60
|
+
# the `--only-failures` and `--next-failure` CLI options. We recommend
|
61
|
+
# you configure your source control system to ignore this file.
|
62
|
+
config.example_status_persistence_file_path = "spec/examples.txt"
|
63
|
+
|
64
|
+
# Limits the available syntax to the non-monkey patched syntax that is
|
65
|
+
# recommended. For more details, see:
|
66
|
+
# - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
|
67
|
+
# - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
|
68
|
+
# - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
|
69
|
+
config.disable_monkey_patching!
|
70
|
+
|
71
|
+
# This setting enables warnings. It's recommended, but in some cases may
|
72
|
+
# be too noisy due to issues in dependencies.
|
73
|
+
config.warnings = true
|
74
|
+
|
75
|
+
# Many RSpec users commonly either run the entire suite or an individual
|
76
|
+
# file, and it's useful to allow more verbose output when running an
|
77
|
+
# individual spec file.
|
78
|
+
if config.files_to_run.one?
|
79
|
+
# Use the documentation formatter for detailed output,
|
80
|
+
# unless a formatter has already been configured
|
81
|
+
# (e.g. via a command-line flag).
|
82
|
+
config.default_formatter = "doc"
|
83
|
+
end
|
84
|
+
|
85
|
+
# Print the 10 slowest examples and example groups at the
|
86
|
+
# end of the spec run, to help surface which specs are running
|
87
|
+
# particularly slow.
|
88
|
+
# config.profile_examples = 10
|
89
|
+
|
90
|
+
# Run specs in random order to surface order dependencies. If you find an
|
91
|
+
# order dependency and want to debug it, you can fix the order by providing
|
92
|
+
# the seed, which is printed after each run.
|
93
|
+
# --seed 1234
|
94
|
+
config.order = :random
|
95
|
+
|
96
|
+
# Seed global randomization in this process using the `--seed` CLI option.
|
97
|
+
# Setting this allows you to use `--seed` to deterministically reproduce
|
98
|
+
# test failures related to randomization by passing the same `--seed` value
|
99
|
+
# as the one that triggered the failure.
|
100
|
+
Kernel.srand config.seed
|
101
|
+
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_relative "../token_helper"
|
4
|
+
|
5
|
+
RSpec.shared_context "with mocked keycloak" do
|
6
|
+
let(:config_server_url) { "http://keycloak.example.com/auth" }
|
7
|
+
let(:config_realm_id) { "Test" }
|
8
|
+
let(:config_allow_anonymous) { false }
|
9
|
+
let(:config_halt_on_auth_failure) { true }
|
10
|
+
let(:config_cache_ttl) { 86_400 }
|
11
|
+
let(:config_skip_paths) { {} }
|
12
|
+
let(:mocked_config_env) do
|
13
|
+
{
|
14
|
+
"KEYCLOAK_SERVER_URL" => config_server_url,
|
15
|
+
"KEYCLOAK_REALM_ID" => config_realm_id,
|
16
|
+
"KEYCLOAK_CACHE_TTL" => config_cache_ttl,
|
17
|
+
"KEYCLOAK_ALLOW_ANONYMOUS" => config_allow_anonymous,
|
18
|
+
"KEYCLOAK_HALT_ON_AUTH_FAILURE" => config_halt_on_auth_failure
|
19
|
+
}
|
20
|
+
end
|
21
|
+
|
22
|
+
let(:token_helper) { TokenHelper.new }
|
23
|
+
let(:jwks_response) { token_helper.jwks.as_json }
|
24
|
+
|
25
|
+
let(:public_key_url) do
|
26
|
+
"#{config_server_url}/realms/#{config_realm_id}/protocol/openid-connect/certs"
|
27
|
+
end
|
28
|
+
|
29
|
+
let(:mocked_public_key_response) do
|
30
|
+
{
|
31
|
+
body: jwks_response.to_json,
|
32
|
+
status: 200
|
33
|
+
}
|
34
|
+
end
|
35
|
+
|
36
|
+
around do |example|
|
37
|
+
with_env(mocked_config_env.transform_values(&:to_s)) do
|
38
|
+
mocked_config = KeycloakRack::Config.new realm_id: config_realm_id
|
39
|
+
|
40
|
+
mocked_config.skip_paths = config_skip_paths
|
41
|
+
|
42
|
+
KeycloakRack::Container.stub("keycloak-rack.config", mocked_config)
|
43
|
+
|
44
|
+
resolver = KeycloakRack::KeyResolver.new
|
45
|
+
|
46
|
+
KeycloakRack::Container.stub("keycloak-rack.key_resolver", resolver)
|
47
|
+
|
48
|
+
example.run
|
49
|
+
end
|
50
|
+
ensure
|
51
|
+
KeycloakRack::Container.unstub("keycloak-rack.config")
|
52
|
+
end
|
53
|
+
|
54
|
+
before do
|
55
|
+
stub_request(:get, public_key_url).
|
56
|
+
to_return(mocked_public_key_response)
|
57
|
+
end
|
58
|
+
|
59
|
+
# @return [void]
|
60
|
+
def refresh_public_keys!
|
61
|
+
KeycloakRack::Container["keycloak-rack.key_resolver"].refresh!
|
62
|
+
end
|
63
|
+
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.shared_context "with mocked rack application" do
|
4
|
+
attr_reader :last_rack_environment
|
5
|
+
|
6
|
+
let(:base_app_implementation) do
|
7
|
+
->(env) do
|
8
|
+
@last_rack_environment = env
|
9
|
+
|
10
|
+
state = env["keycloak:session"].authenticate! do |m|
|
11
|
+
m.success(:authenticated) do
|
12
|
+
"authenticated"
|
13
|
+
end
|
14
|
+
|
15
|
+
m.success do
|
16
|
+
"anonymous"
|
17
|
+
end
|
18
|
+
|
19
|
+
m.failure do
|
20
|
+
"failed"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
response = {
|
25
|
+
"auth_state" => state
|
26
|
+
}
|
27
|
+
|
28
|
+
[
|
29
|
+
200,
|
30
|
+
{ "Content-Type" => "application/json" },
|
31
|
+
[response.to_json]
|
32
|
+
]
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
let(:rack_application) do
|
37
|
+
base_app_implementation.tap do |app|
|
38
|
+
allow(app).to receive(:call).and_call_original
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
MIIEpAIBAAKCAQEAxFU3CRb04a2yy1rpACuj9+2HQu1RCw3MKmu2WZe3jicvth/r
|
3
|
+
fOYFBi7xoi0SPvur0oyVFffHhphGpNE0InL0EWIT9a1oSpwZdc+e3KqaZkO3c3b9
|
4
|
+
sHXPfJ8Sjhf/N50RHpb2sjz0qJ6mV4SyYgyBvnF1/iXFerFIgyTwmIXno2suIS7S
|
5
|
+
gu5EYxE/jR99Q8E1bvDXqhrfkAv0G1Ae5c2Wxg4qK7qu8ny+OXRQA921WNxBpToS
|
6
|
+
VHBCAhc4ga5tSxQ8Ll26ShLwD9SdKuYDZIndV1ubk01l7vrf6JY2tMJqFFu3Cqh3
|
7
|
+
Q19WptxcyIaEp/J4CDyTGpyNq9OuThIKWTveqQIDAQABAoIBAGIJPysNyIfsaUw7
|
8
|
+
//7yy7SgahtUT1Satik0keCY7rJQBPYHaFp8rWOSC1x07xh+KSVAx60phftCjHv+
|
9
|
+
bu8IwbDwbZEO3vXqjpgSbXw4wFJyW+ePMkxr94h+EhDcELffeU3yCgukfnK4jc1D
|
10
|
+
2KM3JY5IL6gRilOitNevmWg/7RPfLugcxFM3a2dfAJ0kO9xUTr5Box/us8dqgk2G
|
11
|
+
rJNXqGYg5RpGsBcD08U2xMQCfNoz5OhTKCKkiXFi7bmqqnVVx7O20+afLd980T4J
|
12
|
+
AVPF0C/1NW/K7gjztorEP0uMGmmiWVfJ/tCW5okThMo37ZXT+PdLT5K0e20MLZXc
|
13
|
+
7trqNGUCgYEA+pOUPW/HpVQaA0yGfH4AjbUPRbunXhb959imWS9qRX2mySOxkXa+
|
14
|
+
u+I0MqKDY75ksrvkrfWfdAe9Bb0aY2Y8wERKk0U1B4UJgupQjSGRU90wu8oHnpMR
|
15
|
+
GWZYR54WEBUUG2N7MiMd8eOChE0a4M4m27nn12pIxKLYmBSQT6BMSscCgYEAyJUT
|
16
|
+
vuc8YSCUVw9QwH8Ij7yxwRso3vo63eEDA30bm7XVjZSoxmMT457ZFs+W2DZOat7J
|
17
|
+
uId9H7H1Ipf0Q/hZj4mttbXnOK5hrWBNn2c8cF4wrvLdBIKxToz79s2tCE5cpsSi
|
18
|
+
fUv0pLri5MoUoQNUcq/Q7a0WljbZSZqvVpubmw8CgYEA6FPE8mGdnjCoHb7qQqsh
|
19
|
+
IEJr8p/WwmpW6Iv7UF2iDuQ9q+ioTtLmbZWCCCCd6fExtHZ5xMEkIpS6MYPv35F/
|
20
|
+
alTnQDy+ukYjV3qhTPl+oV9IPBVJk0GQbRhzaZOtqSOiDPLj2sysiwYCkWBcN2ts
|
21
|
+
o/VufFBTP94tLHSEiQ97LSkCgYEAk9IZrTTosIO8DrUAw/xaqONc9H05j6pFu8LZ
|
22
|
+
37ZRpF1LNn36K8pUnAky37a46jqLbAMoEk/3jGYvzADESVs7VacXV7To5ELPRWCV
|
23
|
+
lAYW6pDfu+7Lp0lRthv8jJRjEp39dgGv5jsV3ljEYevza/3yPFsJ1D8dSDK/y5it
|
24
|
+
41vmP00CgYBFuydMDA2s9kLS5L8S0sLcinHJobjrCc4VsX8RApMHnrltl7O698Zt
|
25
|
+
6H72ovCXgsL07JztfWyIVPH1Z2BDzJE8tjc6FrZP/EvmOsdHcW97uBkap41mNGDR
|
26
|
+
/THOPW/BFimtXDch2f2Ja5sDf6nDNBmee8908cSrnObOaAzgQoDdeg==
|
27
|
+
-----END RSA PRIVATE KEY-----
|
@@ -0,0 +1,76 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# @api private
|
4
|
+
class TokenHelper
|
5
|
+
extend Dry::Initializer
|
6
|
+
|
7
|
+
ALGORITHM = "RS256"
|
8
|
+
|
9
|
+
option :pem_path, Dry::Types["coercible.string"], default: proc { "#{__dir__}/test_key.pem" }
|
10
|
+
|
11
|
+
def build_token(data: {}, issued_at: Time.current, expires_at: 3.hours.from_now, jti: SecureRandom.uuid, with_random_jwk: false)
|
12
|
+
enriched_data = FactoryBot.attributes_for(:token_payload, data)
|
13
|
+
|
14
|
+
payload = enriched_data.symbolize_keys.merge(
|
15
|
+
aud: "keycloak",
|
16
|
+
auth_time: issued_at.to_i,
|
17
|
+
exp: expires_at.to_i,
|
18
|
+
iat: issued_at.to_i,
|
19
|
+
jti: jti,
|
20
|
+
typ: "JWT",
|
21
|
+
azp: "keycloak",
|
22
|
+
)
|
23
|
+
|
24
|
+
jwk = with_random_jwk ? random_jwk : self.jwk
|
25
|
+
|
26
|
+
headers = {
|
27
|
+
kid: jwk.kid
|
28
|
+
}
|
29
|
+
|
30
|
+
JWT.encode payload, jwk.keypair, ALGORITHM, headers
|
31
|
+
end
|
32
|
+
|
33
|
+
# @return [(Hash, Hash)]
|
34
|
+
def decode_token(token, leeway: resolve_config(:token_leeway))
|
35
|
+
options = {
|
36
|
+
algorithms: [ALGORITHM],
|
37
|
+
leeway: leeway,
|
38
|
+
jwks: { keys: [jwk.export] },
|
39
|
+
}
|
40
|
+
|
41
|
+
JWT.decode token, nil, true, options
|
42
|
+
end
|
43
|
+
|
44
|
+
# @return [KeycloakRack::DecodedToken]
|
45
|
+
def build_decoded_token(**options)
|
46
|
+
leeway = options.delete(:leeway)
|
47
|
+
|
48
|
+
decode_options = { leeway: leeway }
|
49
|
+
|
50
|
+
token = build_token(**options)
|
51
|
+
|
52
|
+
payload, headers = decode_token token, **decode_options
|
53
|
+
|
54
|
+
KeycloakRack::DecodedToken.new payload.merge(original_payload: payload, headers: headers)
|
55
|
+
end
|
56
|
+
|
57
|
+
def jwk
|
58
|
+
@jwk ||= JWT::JWK.new rsa_key
|
59
|
+
end
|
60
|
+
|
61
|
+
def random_jwk
|
62
|
+
JWT::JWK.new OpenSSL::PKey::RSA.generate 2048
|
63
|
+
end
|
64
|
+
|
65
|
+
def jwks
|
66
|
+
@jwks ||= { keys: [jwk.export.reverse_merge(alg: ALGORITHM)] }
|
67
|
+
end
|
68
|
+
|
69
|
+
def resolve_config(value)
|
70
|
+
KeycloakRack::Container["keycloak-rack.config"].public_send(value)
|
71
|
+
end
|
72
|
+
|
73
|
+
def rsa_key
|
74
|
+
@rsa_key ||= OpenSSL::PKey::RSA.new File.read pem_path
|
75
|
+
end
|
76
|
+
end
|