monban-core 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: da14b037f6f5171c93f2ec483393120901d721468871940fd676cade914bfc34
+  data.tar.gz: 91806b518b767aedbacd499c10179513b9ac9a309d21e030ecca9acd83b06f36
+SHA512:
+  metadata.gz: a7250d275a21b7b0a49ac33426a2312bfcf28320c58de424a9ca52e4b8c139428625bb1385e6a1030475130dfeb9131ad63172d482ef81e69aa8ca1c552d4c2a
+  data.tar.gz: fd6d37edbcf0cd6041ae4c9617ed68bc724f1ede672d8829de4cc0d61d89e4dc78ec6ed8b58fff007c95198b31c1e8e44f23ad151456641549a4a4ccbed41a61

data/.envrc

@@ -0,0 +1,5 @@
+export APP_ROOT=$(pwd)
+
+export DOCKER_WRAPPER_IMAGE_ruby=2.5.1
+
+export GIT_RELEASE_VERSION_FILE=lib/monban/core/version.rb

data/.git_release_request.rc.sh

@@ -0,0 +1,7 @@
+git_release_request_dump_version_local(){
+  bundle
+  git add Gemfile.lock
+}
+git_release_request_after_tag(){
+  git push github master --tags
+}

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vendor/

data/.gitlab-ci.yml

@@ -0,0 +1,12 @@
+image: ruby:2.5.1
+
+cache:
+  paths:
+    - vendor/
+
+test:
+  except:
+    - tags
+  script:
+    - bundle
+    - bundle exec rake

data/.travis.yml

@@ -0,0 +1,12 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.5.1
+before_install: gem install bundler -v 1.16.2
+deploy:
+  provider: rubygems
+  gem: monban-core
+  on:
+    tags: true
+  api_key:
+    secure: "DdkHZ3zEXiaetZt7r36tbT0+ECCE6meR//2sJo0AgVE5rpWS1tCd0/D/bjrYKyZha7NlGyyXp0/2A5RPdfJVIZiapVHpB2XozZNKcNVvXoeQRchAlHHIbpapiseo+28gCQK5h/K30m7OExCTtoXSGSIUCLeOkIz0AFC/7Aor1e/+38DLK2NvFleYJfAtWedNSe75exygTpca48zwgkwnNyRwenLoA8poDXJKjkElS9Y/Wf/L4HBiCBu2C/9pGZz0Tdf2lMxD9lNsGYbCxCtA3381f6zFt7cNhGY6a6GWvoZInep6C11PrYUT97TmLpgeTqB7hgYtsXxVP6kEEVlPmrNg22nR91YFSohFpvWAlZ7kCUOiQntwo4n0vLtPVvW0nXx0sAk0I2/mIH41Lnj7ekz5BQW0/4K1SQjjqlTQ0J9FVMGd7Y3ewjRmjcJ99kf0vPTqs5zERe9pfnaYzhYkyQggp4ZeGfeOYzYGdx0wtLQDFzMp8KlbpNTSIcpIFhVzvW40or4CdMMDZqn8iFBvfvvRsEpClUnRaybIJJJltIDnb3qCDNoIebDSbuVINjQufApCDXmpoWz3Ec2Gy1YWraaqzWEqfWhKUbTxuEkOxyXFUDtXrWTwKJ67J+JDx/lH5vQFU61Wt8O2lVswuvqhCxO24qFQiYpT8Onjw+GgCSI="

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in monban-core.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,36 @@
+PATH
+  remote: .
+  specs:
+    monban-core (0.1.0)
+      getto-initialize_with (~> 1.0)
+      getto-params (~> 1.0)
+      jwt (~> 2.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    docile (1.3.1)
+    getto-initialize_with (1.0.1)
+    getto-params (1.0.1)
+    json (2.1.0)
+    jwt (2.1.0)
+    minitest (5.11.3)
+    rake (10.5.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  minitest (~> 5.0)
+  monban-core!
+  rake (~> 10.0)
+  simplecov (~> 0.16)
+
+BUNDLED WITH
+   1.16.6

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 shun@getto.systems
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+# monban-core
+
+[rubygems: monban-core](https://rubygems.org/gems/monban-core)
+
+[Monban](https://github.com/getto-systems/rubygems-monban-core) - core
+
+The authentication plugin for web api based on jwt
+
+
+###### Table of Contents
+
+- [Requirements](#Requirements)
+- [Usage](#Usage)
+- [License](#License)
+
+<a id="Requirements"></a>
+## Requirements
+
+- developed on ruby: 2.5.1
+
+
+<a id="Usage"></a>
+## Usage
+
+## Install
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'monban-core'
+```
+
+And then execute:
+
+```
+$ bundle
+```
+
+Or install it yourself as:
+
+```
+$ gem install monban-core
+```
+
+
+<a id="License"></a>
+## License
+
+monban/core is licensed under the [MIT](LICENSE) license.
+
+Copyright &copy; since 2018 shun@getto.systems

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task :default => :test

data/lib/monban/core/version.rb

@@ -0,0 +1,5 @@
+module Monban
+  module Core
+    VERSION = "0.1.0"
+  end
+end

data/lib/monban/domain/auth.rb

@@ -0,0 +1,273 @@
+require "getto/initialize_with"
+
+require "getto/params"
+require "jwt"
+
+module Monban
+  module Domain
+    module Auth
+      class DecodeError < RuntimeError; end
+      class SettingError < RuntimeError; end
+
+      module Claim
+        def iss(type)
+          "#{type}@#{jwt_service}"
+        end
+
+        def authy_roles
+          ["registered","unregistered"]
+        end
+      end
+
+      class Encoder
+        include Getto::InitializeWith
+        include Claim
+
+        initialize_with :jwt_service, :jwt_secret, :jwt_algorithm, :time
+
+        def full(public_id:, roles:, expired_at:)
+          to_jwt full_payload(
+            public_id:  public_id,
+            roles:      roles,
+            expired_at: expired_at,
+          )
+        end
+
+        def authy(public_id:, authy_id:, expired_at:)
+          to_jwt authy_payload(
+            public_id:  public_id,
+            authy_id:   authy_id,
+            expired_at: expired_at,
+          )
+        end
+
+        def reset(public_id:, reset_token:, expired_at:)
+          to_jwt reset_payload(
+            public_id:   public_id,
+            reset_token: reset_token,
+            expired_at:  expired_at,
+          )
+        end
+
+        private
+
+          def to_jwt(payload)
+            ::JWT.encode(payload, jwt_secret, jwt_algorithm)
+          end
+
+          def full_payload(public_id:, roles:, expired_at:)
+            {
+              iss: iss(:full),
+              iat: time.now.to_i,
+              exp: expired_at.to_i,
+
+              sub: public_id,
+              aud: roles,
+            }
+          end
+
+          def authy_payload(public_id:, authy_id:, expired_at:)
+            {
+              iss: iss(:authy),
+              iat: time.now.to_i,
+              exp: expired_at.to_i,
+
+              sub: public_id,
+              aud: authy_id ? authy_roles.first : authy_roles.last,
+            }
+          end
+
+          def reset_payload(public_id:, reset_token:, expired_at:)
+            {
+              iss: iss(:reset),
+              iat: time.now.to_i,
+              exp: expired_at.to_i,
+
+              sub: public_id,
+              aud: reset_token,
+            }
+          end
+      end
+
+      class Decoder
+        include Getto::InitializeWith
+        include Claim
+
+        initialize_with :jwt_service, :jwt_secret, :jwt_algorithm,
+          :public_id_length, :reset_token_length,
+          :all_roles, :allow_full_access
+
+        def decode(token, type:, roles:)
+          case type
+          when :full
+            full_format ::JWT.decode(
+              token,
+              jwt_secret,
+              true,
+
+              algorithm: jwt_algorithm,
+
+              verify_iss: true, iss: iss(type),
+              verify_iat: true,
+              verify_sub: true,
+
+              verify_aud: !!roles, aud: ([*roles] + allow_full_access).map(&:to_s),
+            )
+          when :authy
+            authy_format ::JWT.decode(
+              token,
+              jwt_secret,
+              true,
+
+              algorithm: jwt_algorithm,
+
+              verify_iss: true, iss: iss(type),
+              verify_iat: true,
+              verify_sub: true,
+
+              verify_aud: roles[:only_registered], aud: authy_roles.first,
+            )
+          when :reset
+            reset_format ::JWT.decode(
+              token,
+              jwt_secret,
+              true,
+
+              algorithm: jwt_algorithm,
+
+              verify_iss: true, iss: iss(type),
+              verify_sub: true,
+              verify_iat: true,
+            )
+          else
+            raise SettingError, "decode: invalid type: #{type}"
+          end
+        rescue ::JWT::DecodeError => e
+          error! e.message
+        end
+
+        private
+
+          def full_format(result)
+            payload, header = result
+
+            validate_header! header
+            validate_full!   payload
+
+            {
+              public_id: payload["sub"],
+              roles:     payload["aud"],
+            }
+          end
+
+          def authy_format(result)
+            payload, header = result
+
+            validate_header! header
+            validate_authy!  payload
+
+            {
+              public_id: payload["sub"],
+            }
+          end
+
+          def reset_format(result)
+            payload, header = result
+
+            validate_header! header
+            validate_reset!  payload
+
+            {
+              public_id:   payload["sub"],
+              reset_token: payload["aud"],
+            }
+          end
+
+
+          def validate_header!(header)
+            Getto::Params.new.validate(header) do |v|
+              v.hash_strict(
+                "alg" => v.string, # verified by jwt
+              )
+            end or error! "header: #{header}"
+          end
+
+          def validate_full!(payload)
+            aud = (all_roles + allow_full_access).map(&:to_s)
+
+            Getto::Params.new.validate(payload) do |v|
+              v.hash_strict(
+                "iss" => v.string,  # verified by jwt
+                "iat" => v.integer, # verified by jwt
+                "exp" => v.integer, # verified by jwt
+
+                "sub" => v.combine([v.string, v.length(public_id_length)]){|val| error! "sub: #{val}" },
+                "aud" => v.array_include(aud)                             {|val| error! "aud: #{val}" },
+              )
+            end or error! "full: #{payload}"
+          end
+
+          def validate_authy!(payload)
+            Getto::Params.new.validate(payload) do |v|
+              v.hash_strict(
+                "iss" => v.string,  # verified by jwt
+                "iat" => v.integer, # verified by jwt
+                "exp" => v.integer, # verified by jwt
+
+                "sub" => v.combine([v.string, v.length(public_id_length)]){|val| error! "sub: #{val}" },
+                "aud" => v.combine([v.string, v.in(authy_roles)])         {|val| error! "aud: #{val}" },
+              )
+            end or error! "authy: #{payload}"
+          end
+
+          def validate_reset!(payload)
+            Getto::Params.new.validate(payload) do |v|
+              v.hash_strict(
+                "iss" => v.string,  # verified by jwt
+                "iat" => v.integer, # verified by jwt
+                "exp" => v.integer, # verified by jwt
+
+                "sub" => v.combine([v.string, v.length(public_id_length)])  {|val| error! "sub: #{val}" },
+                "aud" => v.combine([v.string, v.length(reset_token_length)]){|val| error! "aud: #{val}" },
+              )
+            end or error! "reset: #{payload}"
+          end
+
+          def error!(message)
+            raise DecodeError, message
+          end
+      end
+
+      class Authorized
+        include Getto::InitializeWith
+
+        initialize_with :authorized_secret, :authorized_algorithm
+
+        def decode(token)
+          ::JWT.decode(
+            token,
+            authorized_secret,
+            true,
+            {
+              algorithm: authorized_algorithm,
+            }
+          ).first
+        rescue ::JWT::DecodeError => e
+          error! e.message
+        end
+
+        def encode(account)
+          ::JWT.encode(
+            account,
+            authorized_secret,
+            authorized_algorithm
+          )
+        end
+
+        def error!(message)
+          raise DecodeError, message
+        end
+      end
+    end
+  end
+end

data/lib/monban/domain/password.rb

@@ -0,0 +1,51 @@
+require "getto/initialize_with"
+
+module Monban
+  module Domain
+    module Password
+      module Helper
+        private
+
+          def digest(password:)
+            password_digest.call(password + password_secret)
+          end
+      end
+
+      class Creater
+        include Getto::InitializeWith
+        include Helper
+
+        initialize_with(
+          password_creater: [:create],
+          password_digest:  [:call],
+          password_secret:  String,
+        )
+
+        def create(password:)
+          password_creater.create(
+            password: digest(password: password),
+          )
+        end
+      end
+
+      class Checker
+        include Getto::InitializeWith
+        include Helper
+
+        initialize_with(
+          password_checker: [:hash_secret],
+          password_digest:  [:call],
+          password_secret:  String,
+        )
+
+        def hash_secret(password:, salt:)
+          password_checker.hash_secret(
+            password: digest(password: password),
+            salt: salt,
+          )
+        end
+      end
+
+    end
+  end
+end

data/lib/monban/use_case/account/admin.rb

@@ -0,0 +1,49 @@
+require "monban/use_case/base"
+
+require "getto/params"
+
+module Monban
+  module UseCase
+    module Account
+      class Admin < Base
+
+        initialize_with(
+          time: [:now],
+          repository: [
+            :transaction,
+            :reset_password_email_account,
+            :insert_account,
+            :update_roles,
+            :update_reset_password_email,
+          ],
+
+          admin_email: String,
+          admin_roles: Array,
+        )
+
+        def register
+          repository.transaction do
+            unless account_id = repository.reset_password_email_account(email: admin_email)
+              account_id = repository.insert_account(now: time.now)
+            end
+
+            repository.update_roles(
+              account_id: account_id,
+              roles: admin_roles,
+              now: time.now,
+            )
+
+            repository.update_reset_password_email(
+              account_id: account_id,
+              email: admin_email,
+              now: time.now,
+            )
+
+            nil
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/monban/use_case/account/change/email.rb

@@ -0,0 +1,60 @@
+require "monban/use_case/base"
+
+require "getto/params"
+
+module Monban
+  module UseCase
+    module Account
+      module Change
+        class Email < Base
+
+          initialize_with(
+            error: [:invalid_params!, :not_found!, :conflict!],
+            time:  [:now],
+            repository: [
+              :transaction,
+              :account_exists?,
+              :reset_password_email_account,
+              :update_reset_password_email,
+              :reset_password_email,
+            ],
+          )
+
+          def change(params)
+            Getto::Params.new.validate(params) do |v|
+              v.hash(
+                account_id: v.integer            {|val| param_error!(account_id: val) },
+                email:      v.combine([v.string]){|val| param_error!(email: val) },
+              )
+            end or param_error!(params: params)
+
+            repository.transaction do
+              unless repository.account_exists?(account_id: params[:account_id])
+                error.not_found! "account_id: #{params[:account_id]}"
+              end
+
+              email_account = repository.reset_password_email_account(email: params[:email])
+
+              if email_account && email_account != params[:account_id]
+                error.conflict! "email: #{params[:email]}"
+              end
+
+              unless email_account
+                repository.update_reset_password_email(
+                  account_id: params[:account_id],
+                  email:      params[:email],
+                  now:        time.now,
+                )
+              end
+
+              {
+                email: repository.reset_password_email(account_id: params[:account_id]),
+              }
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/monban/use_case/account/change/login_id.rb

@@ -0,0 +1,57 @@
+require "monban/use_case/base"
+
+require "getto/params"
+
+module Monban
+  module UseCase
+    module Account
+      module Change
+        class LoginId < Base
+
+          initialize_with(
+            error: [:invalid_params!, :not_found!, :conflict!],
+            time:  [:now],
+            repository: [
+              :transaction,
+              :account_exists?,
+              :login_id_account,
+              :update_login_id,
+              :login_id,
+            ],
+          )
+
+          def change(params)
+            Getto::Params.new.validate(params) do |v|
+              v.hash(
+                account_id: v.integer{|val| param_error!(account_id: val) },
+                login_id:   v.string {|val| param_error!(login_id: val) },
+              )
+            end or param_error!(params: params)
+
+            repository.transaction do
+              unless repository.account_exists?(account_id: params[:account_id])
+                error.not_found! "account_id: #{params[:account_id]}"
+              end
+
+              login_id_account = repository.login_id_account(login_id: params[:login_id])
+              if login_id_account && login_id_account != params[:account_id]
+                error.conflict! "login_id: #{params[:login_id]}"
+              end
+
+              unless login_id_account
+                repository.update_login_id(
+                  account_id: params[:account_id],
+                  login_id:   params[:login_id],
+                  now:        time.now,
+                )
+              end
+
+              repository.login_id(account_id: params[:account_id])
+            end
+          end
+
+        end
+      end
+    end
+  end
+end