prx_auth 1.2.0 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/prx_auth/resource_map.rb +8 -0
- data/lib/prx_auth/scope_list.rb +17 -13
- data/lib/prx_auth/version.rb +1 -1
- data/lib/rack/prx_auth.rb +6 -1
- data/prx_auth.gemspec +2 -2
- data/test/prx_auth/resource_map_test.rb +13 -0
- data/test/prx_auth/scope_list_test.rb +27 -0
- data/test/rack/prx_auth_test.rb +43 -7
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ac722c142dfc949c887f3bd913c19e9a743c6dc9503badaa967fc180b200344
|
4
|
+
data.tar.gz: bbac43c4ad1611c136da5a66f544eea639262fa2cb01e6eb1853610ee630b0ca
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7941fafb990e4d7aa8cb070963aba181b91d3d108fd4a4d6017618b15532d83876db3dc69a3fb962d5193adb61f82cad5874b7b65590880b99a6eb68117e0e6d
|
7
|
+
data.tar.gz: b3d1a127bbe650df453b3158d81df5fd56dfcad9c9862ceaba502ca25dd45ad9c6a6764f65a481cd6a54989aa22b5cf10774a003efc97d949c782cdddc767660
|
data/lib/prx_auth/scope_list.rb
CHANGED
@@ -4,19 +4,15 @@ module PrxAuth
|
|
4
4
|
NAMESPACE_SEPARATOR = ':'
|
5
5
|
NO_NAMESPACE = :_
|
6
6
|
|
7
|
-
Entry = Struct.new(:namespace, :scope)
|
7
|
+
Entry = Struct.new(:namespace, :scope, :string)
|
8
8
|
|
9
9
|
class Entry
|
10
|
-
def
|
10
|
+
def ==(other_entry)
|
11
11
|
namespace == other_entry.namespace && scope == other_entry.scope
|
12
12
|
end
|
13
13
|
|
14
14
|
def to_s
|
15
|
-
|
16
|
-
"#{namespace}:#{scope}"
|
17
|
-
else
|
18
|
-
scope.to_s
|
19
|
-
end
|
15
|
+
string
|
20
16
|
end
|
21
17
|
|
22
18
|
def namespaced?
|
@@ -25,11 +21,15 @@ module PrxAuth
|
|
25
21
|
|
26
22
|
def unnamespaced
|
27
23
|
if namespaced?
|
28
|
-
Entry.new(NO_NAMESPACE, scope)
|
24
|
+
Entry.new(NO_NAMESPACE, scope, string.split(':').last)
|
29
25
|
else
|
30
26
|
self
|
31
27
|
end
|
32
28
|
end
|
29
|
+
|
30
|
+
def inspect
|
31
|
+
"#<ScopeList::Entry \"#{to_s}\">"
|
32
|
+
end
|
33
33
|
end
|
34
34
|
|
35
35
|
def self.new(list)
|
@@ -47,9 +47,9 @@ module PrxAuth
|
|
47
47
|
|
48
48
|
parts = value.split(NAMESPACE_SEPARATOR, 2)
|
49
49
|
if parts.length == 2
|
50
|
-
push Entry.new(symbolize(parts[0]), symbolize(parts[1]))
|
50
|
+
push Entry.new(symbolize(parts[0]), symbolize(parts[1]), value)
|
51
51
|
else
|
52
|
-
push Entry.new(NO_NAMESPACE, symbolize(parts[0]))
|
52
|
+
push Entry.new(NO_NAMESPACE, symbolize(parts[0]), value)
|
53
53
|
end
|
54
54
|
end
|
55
55
|
end
|
@@ -57,11 +57,11 @@ module PrxAuth
|
|
57
57
|
def contains?(namespace, scope=nil)
|
58
58
|
entries = if scope.nil?
|
59
59
|
scope, namespace = namespace, NO_NAMESPACE
|
60
|
-
[Entry.new(namespace, symbolize(scope))]
|
60
|
+
[Entry.new(namespace, symbolize(scope), nil)]
|
61
61
|
else
|
62
62
|
scope = symbolize(scope)
|
63
63
|
namespace = symbolize(namespace)
|
64
|
-
[Entry.new(namespace, scope), Entry.new(NO_NAMESPACE, scope)]
|
64
|
+
[Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
|
65
65
|
end
|
66
66
|
|
67
67
|
entries.any? do |possible_match|
|
@@ -126,7 +126,11 @@ module PrxAuth
|
|
126
126
|
def &(other_list)
|
127
127
|
return ScopeList.new('') if other_list.nil?
|
128
128
|
|
129
|
-
self - (self - other_list)
|
129
|
+
self - (self - other_list) + (other_list - (other_list - self))
|
130
|
+
end
|
131
|
+
|
132
|
+
def ==(other)
|
133
|
+
condense.sort_by(&:to_s) == other.condense.sort_by(&:to_s)
|
130
134
|
end
|
131
135
|
|
132
136
|
private
|
data/lib/prx_auth/version.rb
CHANGED
data/lib/rack/prx_auth.rb
CHANGED
@@ -53,7 +53,12 @@ module Rack
|
|
53
53
|
end
|
54
54
|
|
55
55
|
def expired?(claims)
|
56
|
-
Time.now.to_i
|
56
|
+
now = Time.now.to_i - 30 # 30 second clock jitter allowance
|
57
|
+
if claims['iat'] <= claims['exp']
|
58
|
+
now > claims['exp']
|
59
|
+
else
|
60
|
+
now > (claims['iat'] + claims['exp'])
|
61
|
+
end
|
57
62
|
end
|
58
63
|
|
59
64
|
def should_validate_token?(claims)
|
data/prx_auth.gemspec
CHANGED
@@ -21,12 +21,12 @@ Gem::Specification.new do |spec|
|
|
21
21
|
spec.required_ruby_version = '>= 2.3'
|
22
22
|
|
23
23
|
spec.add_development_dependency 'bundler', '~> 2.0'
|
24
|
-
spec.add_development_dependency 'rake', '~>
|
24
|
+
spec.add_development_dependency 'rake', '~> 12.3.3'
|
25
25
|
spec.add_development_dependency 'coveralls', '~> 0'
|
26
26
|
spec.add_development_dependency 'guard'
|
27
27
|
spec.add_development_dependency 'guard-minitest'
|
28
28
|
|
29
29
|
spec.add_dependency 'rack', '>= 1.5.2'
|
30
30
|
spec.add_dependency 'json', '>= 1.8.1'
|
31
|
-
spec.add_dependency 'json-jwt', '~> 1.
|
31
|
+
spec.add_dependency 'json-jwt', '~> 1.11.0'
|
32
32
|
end
|
@@ -169,4 +169,17 @@ describe PrxAuth::ResourceMap do
|
|
169
169
|
assert map.as_json.has_key?('*')
|
170
170
|
end
|
171
171
|
end
|
172
|
+
|
173
|
+
describe '#[]' do
|
174
|
+
it 'automatically stringifies' do
|
175
|
+
refute_nil map[123]
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
179
|
+
describe '#[]=' do
|
180
|
+
it 'automatically stringifies' do
|
181
|
+
map[789] = PrxAuth::ScopeList.new("")
|
182
|
+
refute_nil map["789"]
|
183
|
+
end
|
184
|
+
end
|
172
185
|
end
|
@@ -70,6 +70,12 @@ describe PrxAuth::ScopeList do
|
|
70
70
|
sl = new_list('one two') - nil
|
71
71
|
assert sl.contains?(:one) && sl.contains?(:two)
|
72
72
|
end
|
73
|
+
|
74
|
+
it 'maintains dashes and capitalization in the result' do
|
75
|
+
sl = new_list('The-Beginning the-middle the-end') - new_list('the-Middle')
|
76
|
+
assert sl.to_s == 'The-Beginning the-end'
|
77
|
+
end
|
78
|
+
|
73
79
|
end
|
74
80
|
|
75
81
|
describe '#+' do
|
@@ -98,5 +104,26 @@ describe PrxAuth::ScopeList do
|
|
98
104
|
sl = new_list('one') & nil
|
99
105
|
assert !sl.contains?(:one)
|
100
106
|
end
|
107
|
+
|
108
|
+
it 'works when either side has non-namespaced values correctly' do
|
109
|
+
sl = PrxAuth::ScopeList.new('foo:bar') & PrxAuth::ScopeList.new('bar')
|
110
|
+
assert sl.contains?(:foo, :bar)
|
111
|
+
refute sl.contains?(:bar)
|
112
|
+
|
113
|
+
sl = PrxAuth::ScopeList.new('bar') & PrxAuth::ScopeList.new('foo:bar')
|
114
|
+
assert sl.contains?(:foo, :bar)
|
115
|
+
refute sl.contains?(:bar)
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
describe '==' do
|
120
|
+
|
121
|
+
it 'is equal when they are functionally equal' do
|
122
|
+
assert_equal PrxAuth::ScopeList.new("foo ns:foo bar ns2:baz"), PrxAuth::ScopeList.new("ns2:baz bar foo")
|
123
|
+
end
|
124
|
+
|
125
|
+
it 'is not equal when they are not functionally equal' do
|
126
|
+
refute_equal PrxAuth::ScopeList.new("foo bar"), PrxAuth::ScopeList.new("foo:bar bar:foo")
|
127
|
+
end
|
101
128
|
end
|
102
129
|
end
|
data/test/rack/prx_auth_test.rb
CHANGED
@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
|
|
5
5
|
let(:prxauth) { Rack::PrxAuth.new(app) }
|
6
6
|
let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
|
7
7
|
let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
|
8
|
-
let(:
|
8
|
+
let(:iat) { Time.now.to_i }
|
9
|
+
let(:exp) { 3600 }
|
10
|
+
let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
|
9
11
|
|
10
12
|
describe '#call' do
|
11
13
|
it 'does nothing if there is no authorization header' do
|
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
|
|
59
61
|
end
|
60
62
|
end
|
61
63
|
|
62
|
-
describe '#
|
63
|
-
it 'returns true if token is expired' do
|
64
|
-
claims['iat'] = Time.now.to_i - 4000
|
64
|
+
describe '#expired?' do
|
65
65
|
|
66
|
-
|
66
|
+
def expired?(claims)
|
67
|
+
prxauth.send(:expired?, claims)
|
67
68
|
end
|
68
69
|
|
69
|
-
|
70
|
-
|
70
|
+
describe 'with a malformed exp' do
|
71
|
+
let(:iat) { Time.now.to_i }
|
72
|
+
let(:exp) { 3600 }
|
73
|
+
|
74
|
+
it 'is expired if iat + exp are in the past' do
|
75
|
+
claims['iat'] -= 3631
|
76
|
+
|
77
|
+
assert expired?(claims)
|
78
|
+
end
|
79
|
+
|
80
|
+
it 'is not expired if iat + exp are in the future' do
|
81
|
+
claims['iat'] = Time.now.to_i - 3599
|
82
|
+
|
83
|
+
refute expired?(claims)
|
84
|
+
end
|
85
|
+
|
86
|
+
it 'allows a 30s clock jitter' do
|
87
|
+
claims['iat'] = Time.now.to_i - 3629
|
88
|
+
|
89
|
+
refute expired?(claims)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
describe 'with a corrected exp' do
|
94
|
+
let(:iat) { Time.now.to_i - 3600 }
|
95
|
+
let(:exp) { Time.now.to_i + 1 }
|
96
|
+
|
97
|
+
it 'is not expired if exp is in the future' do
|
98
|
+
refute expired?(claims)
|
99
|
+
end
|
100
|
+
|
101
|
+
it 'is expired if exp is in the past (with 30s jitter grace)' do
|
102
|
+
claims['exp'] = Time.now.to_i - 31
|
103
|
+
assert expired?(claims)
|
104
|
+
claims['exp'] = Time.now.to_i - 29
|
105
|
+
refute expired?(claims)
|
106
|
+
end
|
71
107
|
end
|
72
108
|
end
|
73
109
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: prx_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eve Asher
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-
|
12
|
+
date: 2020-10-19 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
@@ -31,14 +31,14 @@ dependencies:
|
|
31
31
|
requirements:
|
32
32
|
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version:
|
34
|
+
version: 12.3.3
|
35
35
|
type: :development
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
39
|
- - "~>"
|
40
40
|
- !ruby/object:Gem::Version
|
41
|
-
version:
|
41
|
+
version: 12.3.3
|
42
42
|
- !ruby/object:Gem::Dependency
|
43
43
|
name: coveralls
|
44
44
|
requirement: !ruby/object:Gem::Requirement
|
@@ -115,14 +115,14 @@ dependencies:
|
|
115
115
|
requirements:
|
116
116
|
- - "~>"
|
117
117
|
- !ruby/object:Gem::Version
|
118
|
-
version: 1.
|
118
|
+
version: 1.11.0
|
119
119
|
type: :runtime
|
120
120
|
prerelease: false
|
121
121
|
version_requirements: !ruby/object:Gem::Requirement
|
122
122
|
requirements:
|
123
123
|
- - "~>"
|
124
124
|
- !ruby/object:Gem::Version
|
125
|
-
version: 1.
|
125
|
+
version: 1.11.0
|
126
126
|
description: Specific to PRX. Will ignore tokens that were not issued by PRX.
|
127
127
|
email:
|
128
128
|
- eve@prx.org
|