prx_auth 1.1.0

data/test/rack/prx_auth/certificate_test.rb

@@ -0,0 +1,130 @@
+require 'test_helper'
+
+describe Rack::PrxAuth::Certificate do
+  let(:subject) { Rack::PrxAuth::Certificate.new }
+  let(:certificate) { subject }
+
+  describe '#initialize' do
+    it 'allows setting the location of the certificates' do
+      cert = Rack::PrxAuth::Certificate.new('http://example.com')
+      assert cert.cert_location == URI('http://example.com')
+    end
+
+    it 'defaults to DEFAULT_CERT_LOC' do
+      assert certificate.cert_location == Rack::PrxAuth::Certificate::DEFAULT_CERT_LOC
+    end
+  end
+
+  describe '#valid?' do
+    it 'validates the token with the public key' do
+      token, key = nil, nil
+      certificate.stub(:public_key, :public_key) do
+        JSON::JWT.stub(:decode, Proc.new {|t, k| token, key = t, k }) do
+          certificate.valid?(:token)
+        end
+      end
+
+      assert token == :token
+      assert key == :public_key
+    end
+
+    it 'returns false if verification fails' do
+      JSON::JWT.stub(:decode, Proc.new do |t, k|
+        raise JSON::JWT::VerificationFailed
+      end) do
+        certificate.stub(:public_key, :foo) do
+          assert !certificate.valid?(:token)
+        end
+      end
+    end
+
+    it 'returns true if verification passes' do
+      JSON::JWT.stub(:decode, {}) do
+        certificate.stub(:public_key, :foo) do
+          assert certificate.valid?(:token)
+        end
+      end
+    end
+  end
+
+  describe '#certificate' do
+    it 'calls fetch if unprimed' do
+      def certificate.fetch
+        :sigil
+      end
+
+      assert certificate.send(:certificate) == :sigil
+    end
+  end
+
+  describe '#public_key' do
+    it 'pulls from the certificate' do
+      certificate.stub(:certificate, Struct.new(:public_key).new(:key)) do
+        assert certificate.send(:public_key) == :key
+      end
+    end
+  end
+
+  describe '#fetch' do
+    it 'pulls from `#cert_location`' do
+      Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
+        OpenSSL::X509::Certificate.stub(:new, ->(x) { x }) do
+          certificate.stub(:cert_location, "a://fake.url/here") do
+            assert certificate.send(:fetch) == "a://fake.url/here"
+          end
+        end
+      end
+    end
+
+    it 'sets the expiration value' do
+      Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
+        OpenSSL::X509::Certificate.stub(:new, ->(_) { Struct.new(:not_after).new(Time.now + 10000) }) do
+          certificate.send :certificate
+          assert !certificate.send(:needs_refresh?)
+        end
+      end
+    end
+  end
+
+  describe '#expired?' do
+    let(:stub_cert) { Struct.new(:not_after).new(Time.now + 10000) }
+    before(:each) do
+      certificate.instance_variable_set :'@certificate', stub_cert
+    end
+
+    it 'is false when the certificate is not expired' do
+      assert !certificate.send(:expired?)
+    end
+
+    it 'is true when the certificate is expired' do
+      stub_cert.not_after = Time.now - 500
+      assert certificate.send(:expired?)
+    end
+  end
+
+  describe '#needs_refresh?' do
+    def refresh_at=(time)
+      certificate.instance_variable_set :'@refresh_at', time
+    end
+
+    it 'is true if certificate is expired' do
+      certificate.stub(:expired?, true) do
+        assert certificate.send(:needs_refresh?)
+      end
+    end
+
+    it 'is true if we are past refresh value' do
+      self.refresh_at = Time.now.to_i - 1000
+      certificate.stub(:expired?, false) do
+        assert certificate.send(:needs_refresh?)
+      end
+    end
+
+    it 'is false if certificate is not expired and refresh is in the future' do
+      self.refresh_at = Time.now.to_i + 10000
+      certificate.stub(:expired?, false) do
+        assert !certificate.send(:needs_refresh?)
+      end
+    end
+  end
+end

data/test/rack/prx_auth/token_data_test.rb

@@ -0,0 +1,101 @@
+require 'test_helper'
+
+describe Rack::PrxAuth::TokenData do
+  it 'pulls user_id from sub' do
+    token = Rack::PrxAuth::TokenData.new('sub' => 123)
+    assert token.user_id == 123
+  end
+
+  it 'pulls resources from aur' do
+    token = Rack::PrxAuth::TokenData.new('aur' => {'123' => 'admin'})
+    assert token.resources.include?('123')
+  end
+
+  it 'unpacks compressed aur' do
+    token = Rack::PrxAuth::TokenData.new('aur' => {
+      '123' => 'member',
+      '$' => {
+        'admin' => [456, 789, 1011]
+      }
+    })
+    assert !token.resources.include?('$')
+    assert token.resources.include?('789')
+    assert token.resources.include?('123')
+  end
+
+  describe '#resources' do
+    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur) }
+    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
+
+    it 'scans for resources by namespace and scope' do
+      assert token.resources(:admin) == ['123']
+      assert token.resources(:namespaced) == []
+      assert token.resources(:member) == ['456']
+      assert token.resources(:ns1, :namespaced) == ['123']
+      assert token.resources(:ns1, :member) == ['456']
+    end
+  end
+
+  describe '#authorized?' do
+    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur, 'scope' => scope) }
+    let(:scope) { 'read write purchase sell delete' }
+    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
+
+    it 'is authorized for scope in aur' do
+      assert token.authorized?(123, 'admin')
+    end
+
+    it 'is not authorized across aur limits' do
+      assert !token.authorized?(123, :member)
+    end
+
+    it 'does not require a scope' do
+      assert token.authorized?(123)
+    end
+
+    it 'is unauthorized if it hasnt seen the resource' do
+      assert !token.authorized?(789)
+    end
+
+    it 'works for namespaced scopes' do
+      assert token.authorized?(123, :ns1, :namespaced)
+      assert !token.authorized?(123, :namespaced)
+      assert token.authorized?(123, :ns1, :admin)
+    end
+
+    describe 'with wildcard role' do
+      let(:aur) { {'*' => 'peek', '123' => 'admin', '456' => 'member' } }
+
+      it 'applies wildcard tokens to queries with no matching aur' do
+        assert token.authorized?(789, :peek)
+      end
+
+      it 'does not authorize unscoped for wildcard resources' do
+        assert !token.authorized?(789)
+      end
+
+      it 'allows querying by wildcard resource directly' do
+        assert token.authorized?('*', :peek)
+        assert !token.authorized?('*', :admin)
+      end
+
+      it 'has a shorthand `gobally_authorized?` to query wildcard' do
+        assert token.globally_authorized?(:peek)
+        assert !token.globally_authorized?(:admin)
+      end
+
+      it 'treats global authorizations as additive to other explicit ones' do
+        assert token.authorized?(123, :peek)
+      end
+
+      it 'refuses to run `globally_authorized?` with no scope' do
+        assert_raises ArgumentError do
+          token.globally_authorized?
+        end
+        assert_raises ArgumentError do
+          token.authorized?('*')
+        end
+      end
+    end
+  end
+end

data/test/rack/prx_auth_test.rb

@@ -0,0 +1,97 @@
+require 'test_helper'
+
+describe Rack::PrxAuth do
+  let(:app) { Proc.new {|env| env } }
+  let(:prxauth) { Rack::PrxAuth.new(app) }
+  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
+  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
+  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+
+  describe '#call' do
+    it 'does nothing if there is no authorization header' do
+      env = {}
+
+      assert prxauth.call(env.clone) == env
+    end
+
+    it 'does nothing if the token is from another issuer' do
+      claims['iss'] = 'auth.elsewhere.org'
+
+      JSON::JWT.stub(:decode, claims) do
+        assert prxauth.call(env.clone) == env
+      end
+    end
+
+    it 'does nothing if token is invalid' do
+      assert prxauth.call(env.clone) == env
+    end
+
+    it 'does nothing if the token is nil' do
+      env = { "HTTP_AUTHORIZATION" => "Bearer "}
+      assert prxauth.call(env) == env
+    end
+
+    it 'returns 401 if verification fails' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:valid?, false) do
+          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+        end
+      end
+    end
+
+    it 'returns 401 if access token has expired' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:expired?, true) do
+          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+        end
+      end
+    end
+
+    it 'attaches claims to request params if verification passes' do
+      prxauth.stub(:decode_token, claims) do
+        prxauth.stub(:valid?, true) do
+          prxauth.call(env)['prx.auth'].tap do |token|
+            assert token.instance_of? Rack::PrxAuth::TokenData
+            assert token.user_id == claims['sub']
+          end
+        end
+      end
+    end
+  end
+
+  describe '#token_expired?' do
+    it 'returns true if token is expired' do
+      claims['iat'] = Time.now.to_i - 4000
+
+      assert prxauth.send(:expired?, claims) == true
+    end
+
+    it 'returns false if it is valid' do
+      assert prxauth.send(:expired?, claims) == false
+    end
+  end
+
+  describe 'initialize' do
+    it 'takes a certificate location as an option' do
+      loc = nil
+      Rack::PrxAuth::Certificate.stub(:new, Proc.new{|l| loc = l}) do
+        Rack::PrxAuth.new(app, cert_location: :location)
+        assert loc == :location
+      end
+    end
+  end
+
+  describe '#decode_token' do
+    it 'should return an empty result for a nil token' do
+      assert prxauth.send(:decode_token, nil) == {}
+    end
+
+    it 'should return an empty result for an empty token' do
+      assert prxauth.send(:decode_token, {}) == {}
+    end
+
+    it 'should return an empty result for a malformed token' do
+      assert prxauth.send(:decode_token, 'asdfsadfsad') == {}
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+require 'coveralls'
+Coveralls.wear!
+
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+require 'prx_auth'
+require 'rack/prx_auth'
+
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride'

metadata

@@ -0,0 +1,187 @@
+--- !ruby/object:Gem::Specification
+name: prx_auth
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- Eve Asher
+- Chris Rhoden
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.4
+description: Specific to PRX. Will ignore tokens that were not issued by PRX.
+email:
+- eve@prx.org
+- carhoden@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- Guardfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/prx_auth.rb
+- lib/prx_auth/resource_map.rb
+- lib/prx_auth/scope_list.rb
+- lib/prx_auth/version.rb
+- lib/rack/prx_auth.rb
+- lib/rack/prx_auth/certificate.rb
+- lib/rack/prx_auth/token_data.rb
+- lib/rack/prx_auth/version.rb
+- prx_auth.gemspec
+- test/prx_auth/resource_map_test.rb
+- test/prx_auth/scope_list_test.rb
+- test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth/token_data_test.rb
+- test/rack/prx_auth_test.rb
+- test/test_helper.rb
+homepage: https://github.com/PRX/prx_auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.1
+signing_key: 
+specification_version: 4
+summary: Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches
+  the token's claims to env.
+test_files:
+- test/prx_auth/resource_map_test.rb
+- test/prx_auth/scope_list_test.rb
+- test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth/token_data_test.rb
+- test/rack/prx_auth_test.rb
+- test/test_helper.rb