prx_auth 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3e7866c4a21b61c3e43328c528301e6b53aa350efc5caec23f94b2c4acebea30
+  data.tar.gz: 4d39f067376023bfa72cdaa2059ea976d5011535e5b766fb5928478508f48e23
+SHA512:
+  metadata.gz: 849fe18e035fe9406412cf48da28578d60ecdd5e5ea632b0577d17dcb0b2566e187452313f86d6186529b963a5771275a4968b5ed8bd342a7fea5bfafeb6d34e
+  data.tar.gz: 916cc3c3e08829b1bd07f638b853bc4a19b9bf68ce08ec5580df999fda8c712f50046a9e11b77ef4063df7e8bfd1ebf15457439ccc67e2c5ff5089ae9c2c2350

data/.gitignore

@@ -0,0 +1,16 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vendor/bundle/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.ruby-version

data/.travis.yml

@@ -0,0 +1,12 @@
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.3.7
+  - 2.4.4
+  - 2.5.1
+  - 2.6.3
+before_install:
+  - gem install bundler
+script:
+  - bundle exec rake test

data/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased][unreleased]
+
+## [0.0.7] - 2015-06-15
+### Added
+- This Changelog
+- TokenData#authorized? method
+
+## [0.0.6] - 2015-04-22
+### Removed
+- Railtie
+### Fixed
+- Endless loop while fetching afer certificate cache expires
+
+[unreleased]: https://github.com/PRX/rack-prx_auth/compare/v0.0.7...HEAD
+[0.0.7]: https://github.com/PRX/rack-prx_auth/compare/v0.0.6...v0.0.7
+[0.0.6]: https://github.com/PRX/rack-prx_auth/compare/v0.0.5...v0.0.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rack-prx_auth.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,8 @@
+guard :minitest, all_after_pass: true do
+  watch(%r{^test/(.*)\/?test_(.*)\.rb})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/.+_test\.rb})
+  watch(%r{^test/test_helper\.rb})                            { 'test' }
+end

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2014 PRX, Eve Asher
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,66 @@
+# Rack::PrxAuth
+
+[![Gem Version](https://badge.fury.io/rb/rack-prx_auth.svg)](http://badge.fury.io/rb/rack-prx_auth)
+[![Dependency Status](https://gemnasium.com/PRX/rack-prx_auth.svg)](https://gemnasium.com/PRX/rack-prx_auth)
+[![Build Status](https://travis-ci.org/PRX/rack-prx_auth.svg?branch=master)](https://travis-ci.org/PRX/rack-prx_auth)
+[![Code Climate](https://codeclimate.com/github/PRX/rack-prx_auth/badges/gpa.svg)](https://codeclimate.com/github/PRX/rack-prx_auth)
+[![Coverage Status](https://coveralls.io/repos/PRX/rack-prx_auth/badge.svg)](https://coveralls.io/r/PRX/rack-prx_auth)
+
+This gem adds middleware to a Rack application that decodes and verified a JSON Web Token (JWT) issued by PRX.org. If the JWT is invalid, the middleware will respond with a 401 Unauthorized. If the JWT was not issued by PRX (or the specified issuer), the request will continue through the middleware stack.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rack-prx_auth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rack-prx_auth
+
+In a non-Rails app, add the following to the application's config.ru file:
+
+```ruby
+use Rack::PrxAuth, cert_location: [CERT LOCATION], issuer: [ISSUER]
+```
+The `cert_location` and `issuer` parameters are optional. See below.
+
+## Usage
+
+### The Request
+
+Rack-prx_auth looks for a token in the request's HTTP_AUTHORIZATION header. It expects that the header's content will take the form of 'Bearer <your token>'. If no HTTP_AUTHORIZATION header is present, rack-prx_auth passes the request to the next middleware.
+
+We have another application that's in charge of making the token. It's called id.prx.org. Its job is to show a form for a user to enter credentials, validate those credentials, and then generate a JWT using PRX's private key. See http://openid.net/specs/openid-connect-implicit-1_0.html to find out what information is encoded in a JWT. Basically it's a hash containing, among other things, the user's ID, the issuer of the token, and when the token expires.
+
+### Configuration
+
+Rack-prx_auth takes two optional parameters, `issuer` and `cert_location`. See Installation for how to specify them.
+
+By default, rack-prx_auth will assume that you want to make sure the JWT was issued by PRX. After decoding the JWT, rack-prx_auth checks the `issuer` field to make sure it's id.prx.org. If you want it to check for a different issuer, pass `issuer: <your issuer>` as a parameter.
+
+Since the JWT was created using PRX's private key, rack-prx_auth needs to fetch PRX's public key to decode it. It does this by accessing the `cert_location` (default is https://id.prx.org/api/v1/certs), generating an OpenSSL::X509::Certificate based on its contents, and determining the public key from the certificate object. Should you wish to get your public key from a different certificate, you may specify a different endpoint by passing `cert_location: <your cert location>` as a parameter. Keep in mind that unless the certificate matches the private key used to make the JWT, rack-prx_auth will return 401.
+
+### The Response
+
+If the token isn't valid, meaning it's expired or it wasn't created using our private key, rack-prx_auth will return 401 Unauthorized.
+
+If there's nothing in the HTTP_AUTHORIZATION heading, there's something but JSON::JWT can't decode it, or the issuer field doesn't specify the correct issuer, rack-prx_auth just punts to the next piece of middleware.
+
+If all goes well, rack-prx_auth takes the decoded JWT and makes a TokenData object. Then it adds this object to the `env` with the key 'prx.auth'.
+
+If you are using rack-prx_auth in a Rails app, you'll have a few handy controller methods available to you. Calling `prx_auth_token` within a controller returns the TokenData object, and `prx_authenticated?` tells you whether a TokenData object is available. Also, if you call `user_id` on the TokenData object, you get the user's ID so you can ask id.prx.org for information about them.
+
+## Contributing
+
+1. Fork it ( https://github.com/PRX/rack-prx_auth/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*test.rb'
+end
+
+task default: :test

data/lib/prx_auth.rb

@@ -0,0 +1,3 @@
+require 'prx_auth/resource_map'
+require 'prx_auth/scope_list'
+require 'prx_auth/version'

data/lib/prx_auth/resource_map.rb

@@ -0,0 +1,124 @@
+module PrxAuth
+  class ResourceMap
+    WILDCARD_KEY = '*'
+
+    def initialize(mapped_values)
+      input = mapped_values.clone
+      @wildcard = ScopeList.new(input.delete(WILDCARD_KEY)||'')
+      @map = Hash[input.map do |(key, values)|
+        [key, ScopeList.new(values)]
+      end]
+    end
+
+    def contains?(resource, namespace=nil, scope=nil)
+      resource = resource.to_s
+
+      if resource == WILDCARD_KEY
+        raise ArgumentError if namespace.nil?
+      
+        @wildcard.contains?(namespace, scope)
+      else
+        mapped_resource = @map[resource]
+        
+        if mapped_resource && !namespace.nil?
+          mapped_resource.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
+        elsif !namespace.nil?
+          @wildcard.contains?(namespace, scope)
+        else
+          !!mapped_resource
+        end
+      end
+    end
+
+    def condense
+      condensed_wildcard = @wildcard.condense
+      condensed_map = Hash[@map.map do |resource, list|
+        [resource, (list - condensed_wildcard).condense]
+      end]
+      ResourceMap.new(condensed_map.merge(WILDCARD_KEY => condensed_wildcard))
+    end
+
+    def +(other_map)
+      result = {}
+      (resources + other_map.resources + [WILDCARD_KEY]).uniq.each do |resource|
+        list_a = list_for_resource(resource)
+        list_b = other_map.list_for_resource(resource)
+        result[resource] = if list_a.nil?
+                             list_b
+                           elsif list_b.nil?
+                             list_a
+                           else
+                             list_a + list_b
+                           end
+      end
+
+      ResourceMap.new(result).condense
+    end
+
+    def -(other_map)
+      result = {}
+      other_wildcard = other_map.list_for_resource(WILDCARD_KEY) || PrxAuth::ScopeList.new('')
+
+      resources.each do |resource|
+        result[resource] = list_for_resource(resource) - (other_wildcard + other_map.list_for_resource(resource))
+      end
+
+      if @wildcard
+        result[WILDCARD_KEY] = @wildcard - other_wildcard
+      end
+
+      ResourceMap.new(result)
+    end
+
+    def &(other_map)
+      result = {}
+      other_wildcard = other_map.list_for_resource(WILDCARD_KEY)
+      
+      (resources + other_map.resources).uniq.each do |res|
+        left = list_for_resource(res)
+        right = other_map.list_for_resource(res)
+
+        result[res] = if left.nil?
+                        right & @wildcard
+                      elsif right.nil?
+                        left & other_wildcard
+                      else
+                        (left + @wildcard) & (right + other_wildcard)
+                      end
+      end
+
+      if @wildcard
+        result[WILDCARD_KEY] = @wildcard - (@wildcard - other_wildcard)
+      end
+
+      ResourceMap.new(result).condense
+    end
+
+    def as_json(opts={})
+      @map.merge(WILDCARD_KEY => @wildcard).as_json(opts)
+    end
+
+    def freeze
+      @map.freeze
+      @wildcard.freeze
+      self
+    end
+
+    def resources(namespace=nil, scope=nil)
+      if namespace.nil?
+        @map.keys
+      else
+        @map.select do |name, list|
+          list.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
+        end.map(&:first)
+      end
+    end
+
+    protected
+
+    def list_for_resource(resource)
+      return @wildcard if resource.to_s == WILDCARD_KEY
+      @map[resource.to_s]
+    end
+  end
+end

data/lib/prx_auth/scope_list.rb

@@ -0,0 +1,138 @@
+module PrxAuth
+  class ScopeList
+    SCOPE_SEPARATOR = ' '
+    NAMESPACE_SEPARATOR = ':'
+    NO_NAMESPACE = :_
+
+    def self.new(list)
+      case list
+      when PrxAuth::ScopeList then list
+      else super(list)
+      end
+    end
+
+    def initialize(list)
+      @string = list
+    end
+
+    def contains?(namespace, scope=nil)
+      scope, namespace = namespace, NO_NAMESPACE if scope.nil?
+
+      if namespace == NO_NAMESPACE
+        map[namespace].include?(symbolize(scope))
+      else
+        symbolized_scope = symbolize(scope)
+        map[symbolize(namespace)].include?(symbolized_scope) || map[NO_NAMESPACE].include?(symbolized_scope)
+      end
+    end
+
+    def freeze
+      @string.freeze
+      self
+    end
+
+    def to_s
+      @string
+    end
+
+    def condense
+      tripped = false
+      result = map[NO_NAMESPACE].clone
+      namespaces = map.keys - [NO_NAMESPACE]
+
+      namespaces.each do |ns|
+        map[ns].each do |scope|
+          if !contains?(NO_NAMESPACE, scope)
+            result << scope_string(ns, scope)
+          else
+            tripped = true
+          end
+        end
+      end
+
+      if tripped
+        ScopeList.new(result.join(SCOPE_SEPARATOR))
+      else
+        self
+      end
+    end
+
+    def as_json(opts=())
+      to_s.as_json(opts)
+    end
+
+    def -(other_scope_list)
+      return self if other_scope_list.nil?
+
+      tripped = false
+      result = []
+
+      map.each do |namespace, scopes|
+        scopes.each do |scope|
+          if other_scope_list.contains?(namespace, scope)
+            tripped = true
+          else
+            result << scope_string(namespace, scope)
+          end
+        end
+      end
+
+      if tripped
+        ScopeList.new(result.join(SCOPE_SEPARATOR))
+      else
+        self
+      end
+    end
+
+    def +(other_list)
+      return self if other_list.nil?
+
+      ScopeList.new([to_s, other_list.to_s].join(SCOPE_SEPARATOR)).condense
+    end
+
+    def &(other_list)
+      return ScopeList.new('') if other_list.nil?
+      
+      self - (self - other_list)
+    end
+
+    private
+
+    def map
+      @parsed_map ||= empty_map.tap do |map|
+        @string.split(SCOPE_SEPARATOR).each do |value|
+          next if value.length < 1
+
+          parts = value.split(NAMESPACE_SEPARATOR, 2)
+          if parts.length == 2
+            map[symbolize(parts[0])] << symbolize(parts[1])
+          else
+            map[NO_NAMESPACE] << symbolize(parts[0])
+          end
+        end
+      end
+    end
+
+    def scope_string(ns, scope)
+      if ns == NO_NAMESPACE
+        scope.to_s
+      else
+        [ns, scope].join(NAMESPACE_SEPARATOR)
+      end
+    end
+
+    def empty_map
+      @empty_map ||= Hash.new do |hash, key|
+        hash[key] = []
+      end
+    end
+
+    def symbolize(value)
+      case value
+      when Symbol then value
+      when String then value.downcase.gsub('-', '_').intern
+      else symbolize value.to_s
+      end
+    end
+  end
+end