mumukit-auth 0.2.3

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OWI4N2M5NDExZDc1NjhjYTQ2NjMwNGRmZjFjZmY1ZjI0NWM5MDVlNg==
+  data.tar.gz: !binary |-
+    NDJjMTc0ZmMzODc2NThjNGNjYmNjNjRiNDgyZDAxYzExN2RkMzJkMQ==
+SHA512:
+  metadata.gz: !binary |-
+    YTU3YjdjN2VlZGY0N2RmZWM1ZTNkOTg0YjE3YTdiZTE5MmQ0ZjI0YTY2NmYy
+    OWNkOGUyNjdkZTIzYmFiNzUyNGQ4MGMwMGExZGE0Mzk5Y2VhMTRhMDU2ZWVi
+    ZDY5MjMyMDJiZmFiMTNjNTgxNzQ2NTE3NTk4NDNmZTg0OGY0MGU=
+  data.tar.gz: !binary |-
+    ZTFjM2UxMTc4MmRiZjQ0ZWExYTRlYThiNzIyNDcxNjgzNjk3YjUwYjdhMzFm
+    YmU5NzM5ZWFiNzdkZDRiOWJmNmU2OTM2ZTRhYmNjZTA0NDgxYTUyMjdlYzU1
+    NWI2NjdhZDVlYzEzZDZjOGE1NjczMGE5ZWQwZDEwOTAxMjAyOTQ=

data/lib/mumukit/auth.rb

@@ -0,0 +1,25 @@
+require 'active_support/all'
+require 'mumukit/core'
+
+require_relative './auth/version'
+require_relative './auth/exceptions'
+require_relative './auth/grant'
+require_relative './auth/metadata'
+require_relative './auth/token'
+require_relative './auth/permissions'
+require_relative './auth/user'
+
+require 'ostruct'
+
+module Mumukit
+  module Auth
+    def self.configure
+      @config ||= OpenStruct.new
+      yield @config
+    end
+
+    def self.config
+      @config
+    end
+  end
+end

data/lib/mumukit/auth/exceptions.rb

@@ -0,0 +1,10 @@
+module Mumukit::Auth
+  class InvalidTokenError < StandardError
+  end
+
+  class UnauthorizedAccessError < StandardError
+  end
+
+  class EmailNotRegistered < StandardError
+  end
+end

data/lib/mumukit/auth/grant.rb

@@ -0,0 +1,76 @@
+module Mumukit::Auth
+  class Grant
+    def as_json(options={})
+      to_s
+    end
+
+    def [](resource)
+      (self.class.slug? resource) ? allows?(resource) : access?(resource)
+    end
+
+    def self.slug?(resource_identifier)
+      /.*\/.*/.matches? resource_identifier
+    end
+
+    def self.parse(pattern)
+      case pattern
+        when '*' then
+          AllGrant.new
+        when /(.*)\/\*/
+          OrgGrant.new($1)
+        else
+          SingleGrant.new(pattern)
+      end
+    end
+  end
+
+  class AllGrant < Grant
+    def allows?(slug)
+      true
+    end
+
+    def access?(organization)
+      true
+    end
+
+    def to_s
+      '*'
+    end
+  end
+
+  class SingleGrant < Grant
+    def initialize(slug)
+      @slug = slug
+    end
+
+    def allows?(slug)
+      @slug == slug
+    end
+
+    def access?(organization)
+      @slug.split('/')[0] == organization
+    end
+
+    def to_s
+      @slug
+    end
+  end
+
+  class OrgGrant < Grant
+    def initialize(org)
+      @org = org
+    end
+
+    def allows?(slug)
+      /^#{@org}\/.*/.matches? slug
+    end
+
+    def access?(organization)
+      @org == organization
+    end
+
+    def to_s
+      "#{@org}/*"
+    end
+  end
+end

data/lib/mumukit/auth/metadata.rb

@@ -0,0 +1,56 @@
+class Mumukit::Auth::Metadata
+  def initialize(json)
+    @json = json
+  end
+
+  def as_json(_options={})
+    @json
+  end
+
+  def permissions(app)
+    @json.dig(app, 'permissions').to_mumukit_auth_permissions
+  end
+
+  def add_permission!(app, permission)
+    if permissions(app).present?
+      @json[app] = process_permission(app, permission)
+    else
+      @json.merge!("#{app}" => {'permissions' => permission})
+    end
+    @json
+  end
+
+  def process_permission(app, permission)
+    {permissions: Mumukit::Auth::Permissions.load(permissions(app).as_json + ":#{permission}").to_s}
+  end
+
+  def librarian?(slug)
+    has_role? 'bibliotheca', slug
+  end
+
+  def admin?(slug)
+    has_role? 'admin', slug
+  end
+
+  def teacher?(slug)
+    has_role? 'classroom', slug
+  end
+
+  def student?(slug)
+    has_role? 'atheneum', slug
+  end
+
+  def self.load(json)
+    new(JSON.parse(json))
+  end
+
+  def self.dump(metadata)
+    metadata.to_json
+  end
+
+  private
+
+  def has_role?(app, slug)
+    permissions(app)[slug]
+  end
+end

data/lib/mumukit/auth/permissions.rb

@@ -0,0 +1,58 @@
+module Mumukit::Auth
+  class Permissions
+
+    def initialize(grants)
+      @grants = grants
+    end
+
+    def protect!(slug)
+      raise Mumukit::Auth::UnauthorizedAccessError.new(unauthorized_message(slug)) unless allows?(slug)
+    end
+
+    def allows?(slug)
+      any_grant? { |grant| grant.allows? slug }
+    end
+
+    def access?(organization)
+      any_grant? { |grant| grant.access? organization }
+    end
+
+    def [](organization)
+      any_grant? { |grant| grant[organization] }
+    end
+
+    def as_json
+      to_s
+    end
+
+    def to_s
+      @grants.map(&:to_s).uniq.join(':')
+    end
+
+    def present?
+      to_s.present?
+    end
+
+    def self.dump(permission)
+      permission.to_s
+    end
+
+    def self.load(pattern)
+      parse(pattern)
+    end
+
+    def self.parse(pattern)
+      new(pattern.split(':').map { |grant_pattern| Grant.parse(grant_pattern) })
+    end
+
+    private
+
+    def any_grant?(&block)
+      @grants.any?(&block)
+    end
+
+    def unauthorized_message(slug)
+      "Unauthorized access to #{slug}. Permissions are #{to_s}"
+    end
+  end
+end

data/lib/mumukit/auth/token.rb

@@ -0,0 +1,69 @@
+require 'jwt'
+
+module Mumukit::Auth
+  class Token
+    attr_reader :jwt
+
+    def initialize(jwt)
+      @jwt = jwt
+    end
+
+    def metadata
+      @metadata ||= Mumukit::Auth::Metadata.new(jwt['app_metadata'] || {})
+    end
+
+    def permissions(app)
+      metadata.permissions(app)
+    end
+
+    def verify_client!
+      raise Mumukit::Auth::InvalidTokenError.new('aud mismatch') if Mumukit::Auth.config.client_id != jwt['aud']
+    end
+
+    def self.from_env(env)
+      new(env.dig('omniauth.auth', 'extra', 'raw_info') || {})
+    end
+
+    def self.decode_header(header)
+      raise Mumukit::Auth::InvalidTokenError.new('missing authorization header') if header.nil?
+      decode header.split(' ').last
+    end
+
+    def self.decode(encoded)
+      Token.new JWT.decode(encoded, decoded_secret)[0]
+    rescue JWT::DecodeError => e
+      raise Mumukit::Auth::InvalidTokenError.new(e)
+    end
+
+    def self.encode_dummy_auth_header(metadata)
+      encoded_token = JWT.encode(
+          {aud: Mumukit::Auth.config.client_id,
+           app_metadata: metadata},
+          decoded_secret)
+      'dummy token ' + encoded_token
+    end
+
+    def self.decoded_secret
+      JWT.base64url_decode(Mumukit::Auth.config.client_secret)
+    end
+  end
+
+
+  class Permissions
+    def to_mumukit_auth_permissions
+      self
+    end
+  end
+end
+
+class String
+  def to_mumukit_auth_permissions
+    Mumukit::Auth::Permissions.parse(self)
+  end
+end
+
+class NilClass
+  def to_mumukit_auth_permissions
+    Mumukit::Auth::Permissions.new([])
+  end
+end

data/lib/mumukit/auth/user.rb

@@ -0,0 +1,67 @@
+require 'auth0'
+
+class Mumukit::Auth::User
+
+  attr_accessor :social_id, :user
+
+  def initialize(social_id, user=nil)
+    @social_id = social_id
+    @user = user || client.user(@social_id)
+  end
+
+  def update_permissions(key, permission)
+    metadata.add_permission!(key, permission)
+    client.update_user_metadata social_id, metadata.as_json
+  end
+
+  def permissions_string
+    apps.select { |app| @user[app].present? }.map { |app| {app.to_s => @user[app]} }.reduce({}, :merge).to_json
+  end
+
+  def metadata
+    @metadata ||= Mumukit::Auth::Metadata.load(permissions_string)
+  end
+
+  def permissions_for(app)
+    metadata[app]['permissions']
+  end
+
+  def apps
+    ['bibliotheca', 'classroom', 'admin', 'atheneum']
+  end
+
+  def client
+    self.class.client
+  end
+
+  def librarian?(slug)
+    metadata.librarian? slug
+  end
+
+  def admin?(slug)
+    metadata.admin? slug
+  end
+
+  def teacher?(slug)
+    metadata.teacher? slug
+  end
+
+  def student?(slug)
+    metadata.student? slug
+  end
+
+  def self.from_email(email)
+    user = client.users("email:#{email}").first
+    raise Mumukit::Auth::EmailNotRegistered.new('There is no user registered with that email.') unless user.present?
+    new(user['user_id'])
+  end
+
+  def self.client
+    Auth0Client.new(
+        :client_id => ENV['MUMUKI_AUTH0_CLIENT_ID'],
+        :client_secret => ENV['MUMUKI_AUTH0_CLIENT_SECRET'],
+        :domain => "mumuki.auth0.com"
+    )
+  end
+
+end

data/lib/mumukit/auth/version.rb

@@ -0,0 +1,5 @@
+module Mumukit
+  module Auth
+    VERSION = '0.2.3'
+  end
+end

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: mumukit-auth
+version: !ruby/object:Gem::Version
+  version: 0.2.3
+platform: ruby
+authors:
+- Franco Leonardo Bulgarelli
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: auth0
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mumukit-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.1'
+description: 
+email:
+- franco@mumuki.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/mumukit/auth.rb
+- lib/mumukit/auth/exceptions.rb
+- lib/mumukit/auth/grant.rb
+- lib/mumukit/auth/metadata.rb
+- lib/mumukit/auth/permissions.rb
+- lib/mumukit/auth/token.rb
+- lib/mumukit/auth/user.rb
+- lib/mumukit/auth/version.rb
+homepage: http://github.com/mumuki/mumukit-auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Library for authenticating mumuki requests
+test_files: []