prx_auth 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e7866c4a21b61c3e43328c528301e6b53aa350efc5caec23f94b2c4acebea30
-  data.tar.gz: 4d39f067376023bfa72cdaa2059ea976d5011535e5b766fb5928478508f48e23
+  metadata.gz: b6b1ad46cadbbeddae8e3bebd398582339573c0cd93a16e1ec32d81640c57132
+  data.tar.gz: e16653c6a43a3398d770dee31c1cc414a5a1eedb38434e8568c9d7fad3f74e78
 SHA512:
-  metadata.gz: 849fe18e035fe9406412cf48da28578d60ecdd5e5ea632b0577d17dcb0b2566e187452313f86d6186529b963a5771275a4968b5ed8bd342a7fea5bfafeb6d34e
-  data.tar.gz: 916cc3c3e08829b1bd07f638b853bc4a19b9bf68ce08ec5580df999fda8c712f50046a9e11b77ef4063df7e8bfd1ebf15457439ccc67e2c5ff5089ae9c2c2350
+  metadata.gz: ef892e741fce211dd772a141dd0b80741b395cc8a926651322c79e9bcb91e141c556164c5b46a2f617a5297bc26ab04c0e6f1b954c6d7440ecd42d78831d1025
+  data.tar.gz: 50f52aa960307c3f2117cef31586c946338b032183c5d0f85d1098af448e0fe4e27b97365a782970b95738eec4e6be90f05f35dde1597841f70e0ede9a2a4aa4

data/README.md

@@ -1,10 +1,10 @@
-# Rack::PrxAuth
+# PrxAuth
 
-[![Gem Version](https://badge.fury.io/rb/rack-prx_auth.svg)](http://badge.fury.io/rb/rack-prx_auth)
-[![Dependency Status](https://gemnasium.com/PRX/rack-prx_auth.svg)](https://gemnasium.com/PRX/rack-prx_auth)
-[![Build Status](https://travis-ci.org/PRX/rack-prx_auth.svg?branch=master)](https://travis-ci.org/PRX/rack-prx_auth)
-[![Code Climate](https://codeclimate.com/github/PRX/rack-prx_auth/badges/gpa.svg)](https://codeclimate.com/github/PRX/rack-prx_auth)
-[![Coverage Status](https://coveralls.io/repos/PRX/rack-prx_auth/badge.svg)](https://coveralls.io/r/PRX/rack-prx_auth)
+[![Gem Version](https://badge.fury.io/rb/prx_auth.svg)](http://badge.fury.io/rb/prx_auth)
+[![Dependency Status](https://gemnasium.com/PRX/prx_auth.svg)](https://gemnasium.com/PRX/prx_auth)
+[![Build Status](https://travis-ci.org/PRX/prx_auth.svg?branch=master)](https://travis-ci.org/PRX/prx_auth)
+[![Code Climate](https://codeclimate.com/github/PRX/prx_auth/badges/gpa.svg)](https://codeclimate.com/github/PRX/prx_auth)
+[![Coverage Status](https://coveralls.io/repos/PRX/prx_auth/badge.svg)](https://coveralls.io/r/PRX/prx_auth)
 
 This gem adds middleware to a Rack application that decodes and verified a JSON Web Token (JWT) issued by PRX.org. If the JWT is invalid, the middleware will respond with a 401 Unauthorized. If the JWT was not issued by PRX (or the specified issuer), the request will continue through the middleware stack.
 
@@ -13,7 +13,7 @@ This gem adds middleware to a Rack application that decodes and verified a JSON
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'rack-prx_auth'
+gem 'prx_auth'
 ```
 
 And then execute:
@@ -22,44 +22,51 @@ And then execute:
 
 Or install it yourself as:
 
-    $ gem install rack-prx_auth
+    $ gem install prx_auth
 
 In a non-Rails app, add the following to the application's config.ru file:
 
 ```ruby
+require 'rack/prx_auth'
 use Rack::PrxAuth, cert_location: [CERT LOCATION], issuer: [ISSUER]
 ```
 The `cert_location` and `issuer` parameters are optional. See below.
 
 ## Usage
 
-### The Request
+### Utility Classes
 
-Rack-prx_auth looks for a token in the request's HTTP_AUTHORIZATION header. It expects that the header's content will take the form of 'Bearer <your token>'. If no HTTP_AUTHORIZATION header is present, rack-prx_auth passes the request to the next middleware.
+Right now, we just have ResourceMap and ScopeList which allow you to work with scopes the way they are handled in the id.prx.org tokens. Resource wildcards and namespaces are supported. By using ResourceMap and ScopeList, you can also perform set arithmetic while handling wildcard semantics.
+
+### Rack::PrxAuth
+
+#### The Request
+
+Rack::PrxAuth looks for a token in the request's HTTP_AUTHORIZATION header. It expects that the header's content will take the form of 'Bearer <your token>'. If no HTTP_AUTHORIZATION header is present, the middlware passes the request to the next middleware.
 
 We have another application that's in charge of making the token. It's called id.prx.org. Its job is to show a form for a user to enter credentials, validate those credentials, and then generate a JWT using PRX's private key. See http://openid.net/specs/openid-connect-implicit-1_0.html to find out what information is encoded in a JWT. Basically it's a hash containing, among other things, the user's ID, the issuer of the token, and when the token expires.
 
-### Configuration
+#### Configuration
 
-Rack-prx_auth takes two optional parameters, `issuer` and `cert_location`. See Installation for how to specify them.
+Rack::PrxAuth takes two optional parameters, `issuer` and `cert_location`. See Installation for how to specify them.
 
-By default, rack-prx_auth will assume that you want to make sure the JWT was issued by PRX. After decoding the JWT, rack-prx_auth checks the `issuer` field to make sure it's id.prx.org. If you want it to check for a different issuer, pass `issuer: <your issuer>` as a parameter.
+By default, Rack::PrxAuth will assume that you want to make sure the JWT was issued by PRX. After decoding the JWT, Rack::PrxAuth checks the `issuer` field to make sure it's id.prx.org. If you want it to check for a different issuer, pass `issuer: <your issuer>` as a parameter.
 
-Since the JWT was created using PRX's private key, rack-prx_auth needs to fetch PRX's public key to decode it. It does this by accessing the `cert_location` (default is https://id.prx.org/api/v1/certs), generating an OpenSSL::X509::Certificate based on its contents, and determining the public key from the certificate object. Should you wish to get your public key from a different certificate, you may specify a different endpoint by passing `cert_location: <your cert location>` as a parameter. Keep in mind that unless the certificate matches the private key used to make the JWT, rack-prx_auth will return 401.
+Since the JWT was created using PRX's private key, rack-prx_auth needs to fetch PRX's public key to decode it. It does this by accessing the `cert_location` (default is https://id.prx.org/api/v1/certs), generating an OpenSSL::X509::Certificate based on its contents, and determining the public key from the certificate object. Should you wish to get your public key from a different certificate, you may specify a different endpoint by passing `cert_location: <your cert location>` as a parameter. Keep in mind that unless the certificate matches the private key used to make the JWT, Rack::PrxAuth will return 401.
 
-### The Response
+#### The Response
 
-If the token isn't valid, meaning it's expired or it wasn't created using our private key, rack-prx_auth will return 401 Unauthorized.
+If the token isn't valid, meaning it's expired or it wasn't created using our private key, Rack::PrxAuth will return 401 Unauthorized.
 
-If there's nothing in the HTTP_AUTHORIZATION heading, there's something but JSON::JWT can't decode it, or the issuer field doesn't specify the correct issuer, rack-prx_auth just punts to the next piece of middleware.
+If there's nothing in the HTTP_AUTHORIZATION heading, there's something but JSON::JWT can't decode it, or the issuer field doesn't specify the correct issuer, Rack::PrxAuth just punts to the next piece of middleware.
 
-If all goes well, rack-prx_auth takes the decoded JWT and makes a TokenData object. Then it adds this object to the `env` with the key 'prx.auth'.
+If all goes well, Rack::PrxAuth takes the decoded JWT and makes a TokenData object. Then it adds this object to the `env` with the key 'prx.auth'.
 
-If you are using rack-prx_auth in a Rails app, you'll have a few handy controller methods available to you. Calling `prx_auth_token` within a controller returns the TokenData object, and `prx_authenticated?` tells you whether a TokenData object is available. Also, if you call `user_id` on the TokenData object, you get the user's ID so you can ask id.prx.org for information about them.
+If you are using Rack::PrxAuth in a Rails app, probably use [prx_auth-rails](https://github.com/PRX/prx_auth-rails) which will automatically install the middleware and add some helpful controller methods.
 
 ## Contributing
 
-1. Fork it ( https://github.com/PRX/rack-prx_auth/fork )
+1. Fork it ( https://github.com/PRX/prx_auth/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)

data/lib/prx_auth/resource_map.rb

@@ -1,13 +1,20 @@
 module PrxAuth
-  class ResourceMap
+  class ResourceMap < Hash
     WILDCARD_KEY = '*'
 
     def initialize(mapped_values)
+      super() do |hash, key|
+        if key == WILDCARD_KEY
+          @wildcard
+        else
+          nil
+        end
+      end
       input = mapped_values.clone
       @wildcard = ScopeList.new(input.delete(WILDCARD_KEY)||'')
-      @map = Hash[input.map do |(key, values)|
-        [key, ScopeList.new(values)]
-      end]
+      input.each do |(key, values)|
+        self[key.to_s] = ScopeList.new(values)
+      end
     end
 
     def contains?(resource, namespace=nil, scope=nil)
@@ -18,7 +25,7 @@ module PrxAuth
       
         @wildcard.contains?(namespace, scope)
       else
-        mapped_resource = @map[resource]
+        mapped_resource = self[resource]
         
         if mapped_resource && !namespace.nil?
           mapped_resource.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
@@ -32,7 +39,7 @@ module PrxAuth
 
     def condense
       condensed_wildcard = @wildcard.condense
-      condensed_map = Hash[@map.map do |resource, list|
+      condensed_map = Hash[map do |resource, list|
         [resource, (list - condensed_wildcard).condense]
       end]
       ResourceMap.new(condensed_map.merge(WILDCARD_KEY => condensed_wildcard))
@@ -63,7 +70,7 @@ module PrxAuth
         result[resource] = list_for_resource(resource) - (other_wildcard + other_map.list_for_resource(resource))
       end
 
-      if @wildcard
+      if @wildcard.length
         result[WILDCARD_KEY] = @wildcard - other_wildcard
       end
 
@@ -87,7 +94,7 @@ module PrxAuth
                       end
       end
 
-      if @wildcard
+      if @wildcard.length > 0
         result[WILDCARD_KEY] = @wildcard - (@wildcard - other_wildcard)
       end
 
@@ -95,20 +102,14 @@ module PrxAuth
     end
 
     def as_json(opts={})
-      @map.merge(WILDCARD_KEY => @wildcard).as_json(opts)
-    end
-
-    def freeze
-      @map.freeze
-      @wildcard.freeze
-      self
+      super(opts).merge(@wildcard.length > 0 ? {WILDCARD_KEY => @wildcard}.as_json(opts) : {})
     end
 
     def resources(namespace=nil, scope=nil)
       if namespace.nil?
-        @map.keys
+        keys
       else
-        @map.select do |name, list|
+        select do |name, list|
           list.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
         end.map(&:first)
       end
@@ -117,8 +118,7 @@ module PrxAuth
     protected
 
     def list_for_resource(resource)
-      return @wildcard if resource.to_s == WILDCARD_KEY
-      @map[resource.to_s]
+      self[resource.to_s]
     end
   end
 end

data/lib/prx_auth/scope_list.rb

@@ -1,52 +1,87 @@
 module PrxAuth
-  class ScopeList
+  class ScopeList < Array
     SCOPE_SEPARATOR = ' '
     NAMESPACE_SEPARATOR = ':'
     NO_NAMESPACE = :_
 
+    Entry = Struct.new(:namespace, :scope)
+
+    class Entry
+      def equal?(other_entry)
+        namespace == other_entry.namespace && scope == other_entry.scope
+      end
+
+      def to_s
+        if namespaced?
+          "#{namespace}:#{scope}"
+        else
+          scope.to_s
+        end
+      end
+
+      def namespaced?
+        !(namespace.nil? || namespace == NO_NAMESPACE)
+      end
+
+      def unnamespaced
+        if namespaced?
+          Entry.new(NO_NAMESPACE, scope)
+        else
+          self
+        end
+      end
+    end
+
     def self.new(list)
       case list
       when PrxAuth::ScopeList then list
+      when Array then super(list.join(' '))
       else super(list)
       end
     end
 
     def initialize(list)
       @string = list
+      @string.split(SCOPE_SEPARATOR).each do |value|
+        next if value.length < 1
+
+        parts = value.split(NAMESPACE_SEPARATOR, 2)
+        if parts.length == 2
+          push Entry.new(symbolize(parts[0]), symbolize(parts[1]))
+        else
+          push Entry.new(NO_NAMESPACE, symbolize(parts[0]))
+        end
+      end
     end
 
     def contains?(namespace, scope=nil)
-      scope, namespace = namespace, NO_NAMESPACE if scope.nil?
-
-      if namespace == NO_NAMESPACE
-        map[namespace].include?(symbolize(scope))
-      else
-        symbolized_scope = symbolize(scope)
-        map[symbolize(namespace)].include?(symbolized_scope) || map[NO_NAMESPACE].include?(symbolized_scope)
+      entries = if scope.nil?
+                  scope, namespace = namespace, NO_NAMESPACE 
+                  [Entry.new(namespace, symbolize(scope))]
+                else
+                  scope = symbolize(scope)
+                  namespace = symbolize(namespace)
+                  [Entry.new(namespace, scope), Entry.new(NO_NAMESPACE, scope)]
+                end
+      
+      entries.any? do |possible_match|
+        include?(possible_match)
       end
     end
 
-    def freeze
-      @string.freeze
-      self
-    end
-
     def to_s
       @string
     end
 
     def condense
       tripped = false
-      result = map[NO_NAMESPACE].clone
-      namespaces = map.keys - [NO_NAMESPACE]
-
-      namespaces.each do |ns|
-        map[ns].each do |scope|
-          if !contains?(NO_NAMESPACE, scope)
-            result << scope_string(ns, scope)
-          else
-            tripped = true
-          end
+      result = []
+
+      each do |entry|
+        if entry.namespaced? && include?(entry.unnamespaced)
+          tripped = true
+        else
+          result << entry
         end
       end
 
@@ -67,13 +102,11 @@ module PrxAuth
       tripped = false
       result = []
 
-      map.each do |namespace, scopes|
-        scopes.each do |scope|
-          if other_scope_list.contains?(namespace, scope)
-            tripped = true
-          else
-            result << scope_string(namespace, scope)
-          end
+      each do |entry|
+        if other_scope_list.include?(entry) || other_scope_list.include?(entry.unnamespaced)
+          tripped = true
+        else
+          result << entry
         end
       end
 
@@ -98,35 +131,6 @@ module PrxAuth
 
     private
 
-    def map
-      @parsed_map ||= empty_map.tap do |map|
-        @string.split(SCOPE_SEPARATOR).each do |value|
-          next if value.length < 1
-
-          parts = value.split(NAMESPACE_SEPARATOR, 2)
-          if parts.length == 2
-            map[symbolize(parts[0])] << symbolize(parts[1])
-          else
-            map[NO_NAMESPACE] << symbolize(parts[0])
-          end
-        end
-      end
-    end
-
-    def scope_string(ns, scope)
-      if ns == NO_NAMESPACE
-        scope.to_s
-      else
-        [ns, scope].join(NAMESPACE_SEPARATOR)
-      end
-    end
-
-    def empty_map
-      @empty_map ||= Hash.new do |hash, key|
-        hash[key] = []
-      end
-    end
-
     def symbolize(value)
       case value
       when Symbol then value

data/lib/prx_auth/version.rb

@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.1.0"
+  VERSION = "1.2.0"
 end

data/test/prx_auth/resource_map_test.rb

@@ -155,4 +155,18 @@ describe PrxAuth::ResourceMap do
       assert map.contains?("*", :wild)
     end
   end
+
+  describe '#as_json' do
+    it 'does not include wildcard key if list is empty' do
+      map = new_map("foo" => "asdf")
+      refute map.as_json.has_key?('*')
+      map2 = new_map("foo" => "asdf", "*" => "")
+      refute map2.as_json.has_key?('*')
+    end
+
+    it 'includes the wildcard key if the list is not empty' do
+      map = new_map("*" => "asdf")
+      assert map.as_json.has_key?('*')
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-23 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -146,7 +146,6 @@ files:
 - lib/rack/prx_auth.rb
 - lib/rack/prx_auth/certificate.rb
 - lib/rack/prx_auth/token_data.rb
-- lib/rack/prx_auth/version.rb
 - prx_auth.gemspec
 - test/prx_auth/resource_map_test.rb
 - test/prx_auth/scope_list_test.rb

data/lib/rack/prx_auth/version.rb

@@ -1,7 +0,0 @@
-require 'prx_auth/version'
-
-module Rack
-  class PrxAuth
-    VERSION = PrxAuth::VERSION
-  end
-end