prx_auth 1.1.0

data/lib/prx_auth/version.rb

@@ -0,0 +1,3 @@
+module PrxAuth
+  VERSION = "1.1.0"
+end

data/lib/rack/prx_auth.rb

@@ -0,0 +1,63 @@
+require 'json/jwt'
+require 'rack/prx_auth/certificate'
+require 'rack/prx_auth/token_data'
+require 'prx_auth'
+
+module Rack
+  class PrxAuth
+    INVALID_TOKEN = [
+      401, {'Content-Type' => 'application/json'},
+      [{status: 401, error: 'Invalid JSON Web Token'}.to_json]
+    ]
+
+    DEFAULT_ISS = 'id.prx.org'
+
+    attr_reader :issuer
+
+    def initialize(app, options = {})
+      @app = app
+      @certificate = Certificate.new(options[:cert_location])
+      @issuer = options[:issuer] || DEFAULT_ISS
+    end
+
+    def call(env)
+      return @app.call(env) unless env['HTTP_AUTHORIZATION']
+
+      token = env['HTTP_AUTHORIZATION'].split[1]
+      claims = decode_token(token)
+
+      return @app.call(env) unless should_validate_token?(claims)
+
+      if valid?(claims, token)
+        env['prx.auth'] = TokenData.new(claims)
+        @app.call(env)
+      else
+        INVALID_TOKEN
+      end
+    end
+
+    private
+
+    def valid?(claims, token)
+      !expired?(claims) && @certificate.valid?(token)
+    end
+
+    def decode_token(token)
+      return {} if token.nil?
+
+      begin
+        JSON::JWT.decode(token, :skip_verification)
+      rescue JSON::JWT::InvalidFormat
+        {}
+      end
+    end
+
+    def expired?(claims)
+      Time.now.to_i > (claims['iat'] + claims['exp'])
+    end
+
+    def should_validate_token?(claims)
+      claims['iss'] == @issuer
+    end
+  end
+end

data/lib/rack/prx_auth/certificate.rb

@@ -0,0 +1,55 @@
+require 'json/jwt'
+require 'net/http'
+
+module Rack
+  class PrxAuth
+    class Certificate
+      EXPIRES_IN = 43200
+      DEFAULT_CERT_LOC = URI('https://id.prx.org/api/v1/certs')
+
+      attr_reader :cert_location
+
+      def initialize(cert_uri = nil)
+        @cert_location = cert_uri.nil? ? DEFAULT_CERT_LOC : URI(cert_uri)
+      end
+
+      def valid?(token)
+        begin
+          JSON::JWT.decode(token, public_key)
+        rescue JSON::JWT::VerificationFailed
+          false
+        else
+          true
+        end
+      end
+
+      private
+
+      def public_key
+        certificate.public_key
+      end
+
+      def certificate
+        if @certificate.nil? || needs_refresh?
+          @certificate = fetch
+        end
+        @certificate
+      end
+
+      def fetch
+        certs = JSON.parse(Net::HTTP.get(cert_location))
+        cert_string = certs['certificates'].values[0]
+        @refresh_at = Time.now.to_i + EXPIRES_IN
+        OpenSSL::X509::Certificate.new(cert_string)
+      end
+
+      def needs_refresh?
+        expired? || @refresh_at <= Time.now.to_i
+      end
+
+      def expired?
+        @certificate.not_after < Time.now
+      end
+    end
+  end
+end

data/lib/rack/prx_auth/token_data.rb

@@ -0,0 +1,53 @@
+require 'prx_auth/resource_map'
+
+module Rack
+  class PrxAuth
+    class TokenData
+      attr_reader :scopes
+
+      def initialize(attrs = {})
+        @attributes = attrs
+
+        @authorized_resources = ::PrxAuth::ResourceMap.new(unpack_aur(attrs['aur'])).freeze
+        
+        if attrs['scope']
+          @scopes = attrs['scope'].split(' ').freeze
+        else
+          @scopes = [].freeze
+        end
+      end
+
+      def resources(namespace=nil, scope=nil)
+        @authorized_resources.resources(namespace, scope)
+      end
+
+      def user_id
+        @attributes['sub']
+      end
+
+      def authorized?(resource, namespace=nil, scope=nil)
+        @authorized_resources.contains?(resource, namespace, scope)
+      end
+
+      def globally_authorized?(namespace, scope=nil)
+        authorized?(::PrxAuth::ResourceMap::WILDCARD_KEY, namespace, scope)
+      end
+      
+      private
+
+      def unpack_aur(aur)
+        return {} if aur.nil?
+
+        aur.clone.tap do |result|
+          unless result['$'].nil?
+            result.delete('$').each do |role, resources|
+              resources.each do |res|
+                result[res.to_s] = role
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/prx_auth/version.rb

@@ -0,0 +1,7 @@
+require 'prx_auth/version'
+
+module Rack
+  class PrxAuth
+    VERSION = PrxAuth::VERSION
+  end
+end

data/prx_auth.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'prx_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "prx_auth"
+  spec.version       = PrxAuth::VERSION
+  spec.authors       = ["Eve Asher", "Chris Rhoden"]
+  spec.email         = ["eve@prx.org", "carhoden@gmail.com"]
+  spec.summary       = %q{Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches the token's claims to env.}
+  spec.description   = %q{Specific to PRX. Will ignore tokens that were not issued by PRX.}
+  spec.homepage      = "https://github.com/PRX/prx_auth"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^test/})
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = '>= 2.3'
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'coveralls', '~> 0'
+  spec.add_development_dependency 'guard'
+  spec.add_development_dependency 'guard-minitest'
+
+  spec.add_dependency 'rack', '>= 1.5.2'
+  spec.add_dependency 'json', '>= 1.8.1'
+  spec.add_dependency 'json-jwt', '~> 1.9.4'
+end

data/test/prx_auth/resource_map_test.rb

@@ -0,0 +1,158 @@
+require 'test_helper'
+
+describe PrxAuth::ResourceMap do
+
+  def new_map(val)
+    PrxAuth::ResourceMap.new(val)
+  end
+
+  let(:map) { PrxAuth::ResourceMap.new(input) }
+  let(:input) { {'123' => 'admin one two three ns1:namespaced', '456' => 'member four five six' } }
+
+  describe '#authorized?' do
+    it 'contains scopes in list' do
+      assert map.contains?(123, :admin)
+    end
+
+    it 'does not include across aur limits' do
+      assert !map.contains?(123, :member)
+    end
+
+    it 'does not require a scope' do
+      assert map.contains?(123)
+    end
+
+    it 'does not match if it hasnt seen the resource' do
+      assert !map.contains?(789)
+    end
+
+    it 'works with namespaced scopes' do
+      assert map.contains?(123, :ns1, :namespaced)
+    end
+
+    describe 'with wildcard resource' do
+      let(:input) do
+        {
+          '*' => 'peek',
+          '123' => 'admin one two three',
+          '456' => 'member four five six'
+        }
+      end
+
+      it 'applies wildcard lists to queries with no matching value' do
+        assert map.contains?(789, :peek)
+      end
+
+      it 'does not scan unscoped for wildcard resources' do
+        assert !map.contains?(789)
+      end
+
+      it 'allows querying by wildcard resource directly' do
+        assert map.contains?('*', :peek)
+        assert !map.contains?('*', :admin)
+      end
+
+      it 'treats wildcard lists as additive to other explicit ones' do
+        assert map.contains?(123, :peek)
+      end
+
+      it 'refuses to run against wildcard with no scope' do
+        assert_raises ArgumentError do
+          map.contains?('*')
+        end
+      end
+    end
+  end
+
+  describe '#resources' do
+    let (:input) do
+      {
+        '*' => 'read wildcard',
+        '123' => 'read write buy',
+        '456' => 'read ns1:buy'
+      }
+    end
+
+    let (:resources) { map.resources }
+
+    it 'returns resource ids' do
+      assert resources.include?('123')
+      assert resources.include?('456')
+    end
+
+    it 'excludes wildcard values' do
+      assert !resources.include?('*')
+    end
+
+    it 'filters for scope' do
+      resources = map.resources(:write)
+      assert resources.include?('123')
+      assert !resources.include?('456')
+      assert !resources.include?('*')
+    end
+
+    it 'works with namespaces' do
+      resources = map.resources(:ns1, :buy)
+      assert resources.include?('123')
+      assert resources.include?('456')
+
+      resources = map.resources(:buy)
+      assert !resources.include?('456')
+    end
+  end
+
+  describe '#condense' do
+    let (:input) {{ "one" => "one two three ns1:one", "two" => "two three",  "three" => "two", "*" => "two" }}
+    let (:json) { map.condense.as_json }
+
+    it "removes redundant values which are in the wildcard" do
+      assert !json["one"].include?("two")
+    end
+
+    it "keeps resources in the hash even if all scopes are redundant" do
+      assert json["three"] == ""
+    end
+  end
+
+  describe '#+' do
+    it 'adds values' do
+      map = new_map("one" => "two", "two" => "four") + new_map("one" => "three", "three" => "six")
+      assert map.contains?('one', :two) && map.contains?('one', :three)
+      assert map.contains?('two', :four) && map.contains?('three', :six)
+    end
+  end
+
+  describe '#-' do
+    it 'subtracts values' do
+      map = new_map("one" => "two three", "two" => "four") - new_map("one" => "three four")
+      assert map.contains?('one', :two)
+      assert map.contains?('two', :four)
+      assert !map.contains?('one', :three) && !map.contains?('one', :four)
+    end
+
+    it 'works on wildcards on right side of operator' do
+      map = new_map("one" => "two three") - new_map("*" => "two")
+      assert !map.contains?("one", :two)
+    end
+  end
+
+  describe '#&' do
+    it 'computes the intersection' do
+      map = (
+        new_map("one" => "two three", "four" => "five six", "five" => "five") &
+        new_map("one" => "three four", "four" => "six seven", "six" => "six")
+      )
+      assert map.contains?("one", :three) && map.contains?("four", :six)
+      assert !map.contains?("one", :two) && !map.contains?("four", :five)
+      assert !map.contains?("one", :four) && !map.contains?("four", :seven)
+      assert !map.contains?("five", :five) && !map.contains?("six", :six)
+    end
+
+    it 'works with wildcards' do
+      map = new_map("*" => "three wild", "one" => "four two" ) & new_map("*" => "two wild", "two" => "three four")
+      assert map.contains?("two", :three) && map.contains?("one", :two)
+      assert !map.contains?("one", :four) && !map.contains?("two", :four)
+      assert map.contains?("*", :wild)
+    end
+  end
+end

data/test/prx_auth/scope_list_test.rb

@@ -0,0 +1,102 @@
+require 'test_helper'
+
+describe PrxAuth::ScopeList do
+
+  def new_list(val)
+    PrxAuth::ScopeList.new(val)
+  end
+
+  let (:scopes) { 'read write sell  top-up' }
+  let (:list) { PrxAuth::ScopeList.new(scopes) }
+
+  it 'looks up successfully for a given scope' do
+    assert list.contains?('write')
+  end
+  
+  it 'scans for symbols' do
+    assert list.contains?(:read)
+  end
+
+  it 'handles hyphen to underscore conversions' do
+    assert list.contains?(:top_up)
+  end
+
+  it 'fails for contents not in the list' do
+    assert !list.contains?(:buy)
+  end
+
+  describe 'with namespace' do
+    let (:scopes) { 'ns1:hello ns2:goodbye aloha 1:23' }
+    
+    it 'works for namespaced lookups' do
+      assert list.contains?(:ns1, :hello)
+    end
+
+    it 'fails when the wrong namespace is passed' do
+      assert !list.contains?(:ns1, :goodbye)
+    end
+
+    it 'looks up global scopes when namespaced fails' do
+      assert list.contains?(:ns1, :aloha)
+      assert list.contains?(:ns3, :aloha)
+    end
+
+    it 'works with non-symbol namespaces' do
+      assert list.contains?(1, 23)
+    end
+  end
+
+  describe '#condense' do
+    let (:scopes) { "ns1:foo foo ns1:bar" }
+    it 'removes redundant scopes based on namespace wildcards' do
+      assert list.condense.to_s == "foo ns1:bar"
+    end
+  end
+
+  describe '#-' do
+    it 'subtracts scopes' do
+      sl = new_list('one two') - new_list('two')
+      assert sl.kind_of? PrxAuth::ScopeList
+      assert !sl.contains?(:two)
+      assert sl.contains?(:one)
+    end
+
+    it 'works with scope wildcards' do
+      sl = new_list('ns1:one ns2:two') - new_list('one')
+      assert !sl.contains?(:ns1, :one)
+    end
+
+    it 'accepts nil' do
+      sl = new_list('one two') - nil
+      assert sl.contains?(:one) && sl.contains?(:two)
+    end
+  end
+
+  describe '#+' do
+    it 'adds scopes' do
+      sl = new_list('one') + new_list('two')
+      assert sl.kind_of? PrxAuth::ScopeList
+      assert sl.contains?(:one)
+      assert sl.contains?(:two)
+    end
+
+    it 'accepts nil' do
+      sl = new_list('one two') + nil
+      assert sl.contains?(:one) && sl.contains?(:two)
+    end
+  end
+
+  describe '#&' do
+    it 'gets the intersect of scopes' do
+      sl = (new_list('one two three four') & new_list('two four six'))
+      assert sl.kind_of? PrxAuth::ScopeList
+      assert sl.contains?(:two) && sl.contains?(:four)
+      assert !sl.contains?(:one) && !sl.contains?(:three)  && !sl.contains?(:six)
+    end
+
+    it 'accepts nil' do
+      sl = new_list('one') & nil
+      assert !sl.contains?(:one)
+    end
+  end
+end