prx_auth 1.2.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/prx_auth/resource_map.rb +8 -0
- data/lib/prx_auth/scope_list.rb +17 -13
- data/lib/prx_auth/version.rb +1 -1
- data/lib/rack/prx_auth.rb +6 -1
- data/prx_auth.gemspec +2 -2
- data/test/prx_auth/resource_map_test.rb +13 -0
- data/test/prx_auth/scope_list_test.rb +27 -0
- data/test/rack/prx_auth_test.rb +43 -7
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ac722c142dfc949c887f3bd913c19e9a743c6dc9503badaa967fc180b200344
|
4
|
+
data.tar.gz: bbac43c4ad1611c136da5a66f544eea639262fa2cb01e6eb1853610ee630b0ca
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7941fafb990e4d7aa8cb070963aba181b91d3d108fd4a4d6017618b15532d83876db3dc69a3fb962d5193adb61f82cad5874b7b65590880b99a6eb68117e0e6d
|
7
|
+
data.tar.gz: b3d1a127bbe650df453b3158d81df5fd56dfcad9c9862ceaba502ca25dd45ad9c6a6764f65a481cd6a54989aa22b5cf10774a003efc97d949c782cdddc767660
|
data/lib/prx_auth/scope_list.rb
CHANGED
@@ -4,19 +4,15 @@ module PrxAuth
|
|
4
4
|
NAMESPACE_SEPARATOR = ':'
|
5
5
|
NO_NAMESPACE = :_
|
6
6
|
|
7
|
-
Entry = Struct.new(:namespace, :scope)
|
7
|
+
Entry = Struct.new(:namespace, :scope, :string)
|
8
8
|
|
9
9
|
class Entry
|
10
|
-
def
|
10
|
+
def ==(other_entry)
|
11
11
|
namespace == other_entry.namespace && scope == other_entry.scope
|
12
12
|
end
|
13
13
|
|
14
14
|
def to_s
|
15
|
-
|
16
|
-
"#{namespace}:#{scope}"
|
17
|
-
else
|
18
|
-
scope.to_s
|
19
|
-
end
|
15
|
+
string
|
20
16
|
end
|
21
17
|
|
22
18
|
def namespaced?
|
@@ -25,11 +21,15 @@ module PrxAuth
|
|
25
21
|
|
26
22
|
def unnamespaced
|
27
23
|
if namespaced?
|
28
|
-
Entry.new(NO_NAMESPACE, scope)
|
24
|
+
Entry.new(NO_NAMESPACE, scope, string.split(':').last)
|
29
25
|
else
|
30
26
|
self
|
31
27
|
end
|
32
28
|
end
|
29
|
+
|
30
|
+
def inspect
|
31
|
+
"#<ScopeList::Entry \"#{to_s}\">"
|
32
|
+
end
|
33
33
|
end
|
34
34
|
|
35
35
|
def self.new(list)
|
@@ -47,9 +47,9 @@ module PrxAuth
|
|
47
47
|
|
48
48
|
parts = value.split(NAMESPACE_SEPARATOR, 2)
|
49
49
|
if parts.length == 2
|
50
|
-
push Entry.new(symbolize(parts[0]), symbolize(parts[1]))
|
50
|
+
push Entry.new(symbolize(parts[0]), symbolize(parts[1]), value)
|
51
51
|
else
|
52
|
-
push Entry.new(NO_NAMESPACE, symbolize(parts[0]))
|
52
|
+
push Entry.new(NO_NAMESPACE, symbolize(parts[0]), value)
|
53
53
|
end
|
54
54
|
end
|
55
55
|
end
|
@@ -57,11 +57,11 @@ module PrxAuth
|
|
57
57
|
def contains?(namespace, scope=nil)
|
58
58
|
entries = if scope.nil?
|
59
59
|
scope, namespace = namespace, NO_NAMESPACE
|
60
|
-
[Entry.new(namespace, symbolize(scope))]
|
60
|
+
[Entry.new(namespace, symbolize(scope), nil)]
|
61
61
|
else
|
62
62
|
scope = symbolize(scope)
|
63
63
|
namespace = symbolize(namespace)
|
64
|
-
[Entry.new(namespace, scope), Entry.new(NO_NAMESPACE, scope)]
|
64
|
+
[Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
|
65
65
|
end
|
66
66
|
|
67
67
|
entries.any? do |possible_match|
|
@@ -126,7 +126,11 @@ module PrxAuth
|
|
126
126
|
def &(other_list)
|
127
127
|
return ScopeList.new('') if other_list.nil?
|
128
128
|
|
129
|
-
self - (self - other_list)
|
129
|
+
self - (self - other_list) + (other_list - (other_list - self))
|
130
|
+
end
|
131
|
+
|
132
|
+
def ==(other)
|
133
|
+
condense.sort_by(&:to_s) == other.condense.sort_by(&:to_s)
|
130
134
|
end
|
131
135
|
|
132
136
|
private
|
data/lib/prx_auth/version.rb
CHANGED
data/lib/rack/prx_auth.rb
CHANGED
@@ -53,7 +53,12 @@ module Rack
|
|
53
53
|
end
|
54
54
|
|
55
55
|
def expired?(claims)
|
56
|
-
Time.now.to_i
|
56
|
+
now = Time.now.to_i - 30 # 30 second clock jitter allowance
|
57
|
+
if claims['iat'] <= claims['exp']
|
58
|
+
now > claims['exp']
|
59
|
+
else
|
60
|
+
now > (claims['iat'] + claims['exp'])
|
61
|
+
end
|
57
62
|
end
|
58
63
|
|
59
64
|
def should_validate_token?(claims)
|
data/prx_auth.gemspec
CHANGED
@@ -21,12 +21,12 @@ Gem::Specification.new do |spec|
|
|
21
21
|
spec.required_ruby_version = '>= 2.3'
|
22
22
|
|
23
23
|
spec.add_development_dependency 'bundler', '~> 2.0'
|
24
|
-
spec.add_development_dependency 'rake', '~>
|
24
|
+
spec.add_development_dependency 'rake', '~> 12.3.3'
|
25
25
|
spec.add_development_dependency 'coveralls', '~> 0'
|
26
26
|
spec.add_development_dependency 'guard'
|
27
27
|
spec.add_development_dependency 'guard-minitest'
|
28
28
|
|
29
29
|
spec.add_dependency 'rack', '>= 1.5.2'
|
30
30
|
spec.add_dependency 'json', '>= 1.8.1'
|
31
|
-
spec.add_dependency 'json-jwt', '~> 1.
|
31
|
+
spec.add_dependency 'json-jwt', '~> 1.11.0'
|
32
32
|
end
|
@@ -169,4 +169,17 @@ describe PrxAuth::ResourceMap do
|
|
169
169
|
assert map.as_json.has_key?('*')
|
170
170
|
end
|
171
171
|
end
|
172
|
+
|
173
|
+
describe '#[]' do
|
174
|
+
it 'automatically stringifies' do
|
175
|
+
refute_nil map[123]
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
179
|
+
describe '#[]=' do
|
180
|
+
it 'automatically stringifies' do
|
181
|
+
map[789] = PrxAuth::ScopeList.new("")
|
182
|
+
refute_nil map["789"]
|
183
|
+
end
|
184
|
+
end
|
172
185
|
end
|
@@ -70,6 +70,12 @@ describe PrxAuth::ScopeList do
|
|
70
70
|
sl = new_list('one two') - nil
|
71
71
|
assert sl.contains?(:one) && sl.contains?(:two)
|
72
72
|
end
|
73
|
+
|
74
|
+
it 'maintains dashes and capitalization in the result' do
|
75
|
+
sl = new_list('The-Beginning the-middle the-end') - new_list('the-Middle')
|
76
|
+
assert sl.to_s == 'The-Beginning the-end'
|
77
|
+
end
|
78
|
+
|
73
79
|
end
|
74
80
|
|
75
81
|
describe '#+' do
|
@@ -98,5 +104,26 @@ describe PrxAuth::ScopeList do
|
|
98
104
|
sl = new_list('one') & nil
|
99
105
|
assert !sl.contains?(:one)
|
100
106
|
end
|
107
|
+
|
108
|
+
it 'works when either side has non-namespaced values correctly' do
|
109
|
+
sl = PrxAuth::ScopeList.new('foo:bar') & PrxAuth::ScopeList.new('bar')
|
110
|
+
assert sl.contains?(:foo, :bar)
|
111
|
+
refute sl.contains?(:bar)
|
112
|
+
|
113
|
+
sl = PrxAuth::ScopeList.new('bar') & PrxAuth::ScopeList.new('foo:bar')
|
114
|
+
assert sl.contains?(:foo, :bar)
|
115
|
+
refute sl.contains?(:bar)
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
describe '==' do
|
120
|
+
|
121
|
+
it 'is equal when they are functionally equal' do
|
122
|
+
assert_equal PrxAuth::ScopeList.new("foo ns:foo bar ns2:baz"), PrxAuth::ScopeList.new("ns2:baz bar foo")
|
123
|
+
end
|
124
|
+
|
125
|
+
it 'is not equal when they are not functionally equal' do
|
126
|
+
refute_equal PrxAuth::ScopeList.new("foo bar"), PrxAuth::ScopeList.new("foo:bar bar:foo")
|
127
|
+
end
|
101
128
|
end
|
102
129
|
end
|
data/test/rack/prx_auth_test.rb
CHANGED
@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
|
|
5
5
|
let(:prxauth) { Rack::PrxAuth.new(app) }
|
6
6
|
let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
|
7
7
|
let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
|
8
|
-
let(:
|
8
|
+
let(:iat) { Time.now.to_i }
|
9
|
+
let(:exp) { 3600 }
|
10
|
+
let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
|
9
11
|
|
10
12
|
describe '#call' do
|
11
13
|
it 'does nothing if there is no authorization header' do
|
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
|
|
59
61
|
end
|
60
62
|
end
|
61
63
|
|
62
|
-
describe '#
|
63
|
-
it 'returns true if token is expired' do
|
64
|
-
claims['iat'] = Time.now.to_i - 4000
|
64
|
+
describe '#expired?' do
|
65
65
|
|
66
|
-
|
66
|
+
def expired?(claims)
|
67
|
+
prxauth.send(:expired?, claims)
|
67
68
|
end
|
68
69
|
|
69
|
-
|
70
|
-
|
70
|
+
describe 'with a malformed exp' do
|
71
|
+
let(:iat) { Time.now.to_i }
|
72
|
+
let(:exp) { 3600 }
|
73
|
+
|
74
|
+
it 'is expired if iat + exp are in the past' do
|
75
|
+
claims['iat'] -= 3631
|
76
|
+
|
77
|
+
assert expired?(claims)
|
78
|
+
end
|
79
|
+
|
80
|
+
it 'is not expired if iat + exp are in the future' do
|
81
|
+
claims['iat'] = Time.now.to_i - 3599
|
82
|
+
|
83
|
+
refute expired?(claims)
|
84
|
+
end
|
85
|
+
|
86
|
+
it 'allows a 30s clock jitter' do
|
87
|
+
claims['iat'] = Time.now.to_i - 3629
|
88
|
+
|
89
|
+
refute expired?(claims)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
describe 'with a corrected exp' do
|
94
|
+
let(:iat) { Time.now.to_i - 3600 }
|
95
|
+
let(:exp) { Time.now.to_i + 1 }
|
96
|
+
|
97
|
+
it 'is not expired if exp is in the future' do
|
98
|
+
refute expired?(claims)
|
99
|
+
end
|
100
|
+
|
101
|
+
it 'is expired if exp is in the past (with 30s jitter grace)' do
|
102
|
+
claims['exp'] = Time.now.to_i - 31
|
103
|
+
assert expired?(claims)
|
104
|
+
claims['exp'] = Time.now.to_i - 29
|
105
|
+
refute expired?(claims)
|
106
|
+
end
|
71
107
|
end
|
72
108
|
end
|
73
109
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: prx_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eve Asher
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-
|
12
|
+
date: 2020-10-19 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
@@ -31,14 +31,14 @@ dependencies:
|
|
31
31
|
requirements:
|
32
32
|
- - "~>"
|
33
33
|
- !ruby/object:Gem::Version
|
34
|
-
version:
|
34
|
+
version: 12.3.3
|
35
35
|
type: :development
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
39
|
- - "~>"
|
40
40
|
- !ruby/object:Gem::Version
|
41
|
-
version:
|
41
|
+
version: 12.3.3
|
42
42
|
- !ruby/object:Gem::Dependency
|
43
43
|
name: coveralls
|
44
44
|
requirement: !ruby/object:Gem::Requirement
|
@@ -115,14 +115,14 @@ dependencies:
|
|
115
115
|
requirements:
|
116
116
|
- - "~>"
|
117
117
|
- !ruby/object:Gem::Version
|
118
|
-
version: 1.
|
118
|
+
version: 1.11.0
|
119
119
|
type: :runtime
|
120
120
|
prerelease: false
|
121
121
|
version_requirements: !ruby/object:Gem::Requirement
|
122
122
|
requirements:
|
123
123
|
- - "~>"
|
124
124
|
- !ruby/object:Gem::Version
|
125
|
-
version: 1.
|
125
|
+
version: 1.11.0
|
126
126
|
description: Specific to PRX. Will ignore tokens that were not issued by PRX.
|
127
127
|
email:
|
128
128
|
- eve@prx.org
|