prx_auth 1.2.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b6b1ad46cadbbeddae8e3bebd398582339573c0cd93a16e1ec32d81640c57132
4
- data.tar.gz: e16653c6a43a3398d770dee31c1cc414a5a1eedb38434e8568c9d7fad3f74e78
3
+ metadata.gz: 0ac722c142dfc949c887f3bd913c19e9a743c6dc9503badaa967fc180b200344
4
+ data.tar.gz: bbac43c4ad1611c136da5a66f544eea639262fa2cb01e6eb1853610ee630b0ca
5
5
  SHA512:
6
- metadata.gz: ef892e741fce211dd772a141dd0b80741b395cc8a926651322c79e9bcb91e141c556164c5b46a2f617a5297bc26ab04c0e6f1b954c6d7440ecd42d78831d1025
7
- data.tar.gz: 50f52aa960307c3f2117cef31586c946338b032183c5d0f85d1098af448e0fe4e27b97365a782970b95738eec4e6be90f05f35dde1597841f70e0ede9a2a4aa4
6
+ metadata.gz: 7941fafb990e4d7aa8cb070963aba181b91d3d108fd4a4d6017618b15532d83876db3dc69a3fb962d5193adb61f82cad5874b7b65590880b99a6eb68117e0e6d
7
+ data.tar.gz: b3d1a127bbe650df453b3158d81df5fd56dfcad9c9862ceaba502ca25dd45ad9c6a6764f65a481cd6a54989aa22b5cf10774a003efc97d949c782cdddc767660
@@ -37,6 +37,14 @@ module PrxAuth
37
37
  end
38
38
  end
39
39
 
40
+ def [](key)
41
+ super(key.to_s)
42
+ end
43
+
44
+ def []=(key, value)
45
+ super(key.to_s, value)
46
+ end
47
+
40
48
  def condense
41
49
  condensed_wildcard = @wildcard.condense
42
50
  condensed_map = Hash[map do |resource, list|
@@ -4,19 +4,15 @@ module PrxAuth
4
4
  NAMESPACE_SEPARATOR = ':'
5
5
  NO_NAMESPACE = :_
6
6
 
7
- Entry = Struct.new(:namespace, :scope)
7
+ Entry = Struct.new(:namespace, :scope, :string)
8
8
 
9
9
  class Entry
10
- def equal?(other_entry)
10
+ def ==(other_entry)
11
11
  namespace == other_entry.namespace && scope == other_entry.scope
12
12
  end
13
13
 
14
14
  def to_s
15
- if namespaced?
16
- "#{namespace}:#{scope}"
17
- else
18
- scope.to_s
19
- end
15
+ string
20
16
  end
21
17
 
22
18
  def namespaced?
@@ -25,11 +21,15 @@ module PrxAuth
25
21
 
26
22
  def unnamespaced
27
23
  if namespaced?
28
- Entry.new(NO_NAMESPACE, scope)
24
+ Entry.new(NO_NAMESPACE, scope, string.split(':').last)
29
25
  else
30
26
  self
31
27
  end
32
28
  end
29
+
30
+ def inspect
31
+ "#<ScopeList::Entry \"#{to_s}\">"
32
+ end
33
33
  end
34
34
 
35
35
  def self.new(list)
@@ -47,9 +47,9 @@ module PrxAuth
47
47
 
48
48
  parts = value.split(NAMESPACE_SEPARATOR, 2)
49
49
  if parts.length == 2
50
- push Entry.new(symbolize(parts[0]), symbolize(parts[1]))
50
+ push Entry.new(symbolize(parts[0]), symbolize(parts[1]), value)
51
51
  else
52
- push Entry.new(NO_NAMESPACE, symbolize(parts[0]))
52
+ push Entry.new(NO_NAMESPACE, symbolize(parts[0]), value)
53
53
  end
54
54
  end
55
55
  end
@@ -57,11 +57,11 @@ module PrxAuth
57
57
  def contains?(namespace, scope=nil)
58
58
  entries = if scope.nil?
59
59
  scope, namespace = namespace, NO_NAMESPACE
60
- [Entry.new(namespace, symbolize(scope))]
60
+ [Entry.new(namespace, symbolize(scope), nil)]
61
61
  else
62
62
  scope = symbolize(scope)
63
63
  namespace = symbolize(namespace)
64
- [Entry.new(namespace, scope), Entry.new(NO_NAMESPACE, scope)]
64
+ [Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
65
65
  end
66
66
 
67
67
  entries.any? do |possible_match|
@@ -126,7 +126,11 @@ module PrxAuth
126
126
  def &(other_list)
127
127
  return ScopeList.new('') if other_list.nil?
128
128
 
129
- self - (self - other_list)
129
+ self - (self - other_list) + (other_list - (other_list - self))
130
+ end
131
+
132
+ def ==(other)
133
+ condense.sort_by(&:to_s) == other.condense.sort_by(&:to_s)
130
134
  end
131
135
 
132
136
  private
@@ -1,3 +1,3 @@
1
1
  module PrxAuth
2
- VERSION = "1.2.0"
2
+ VERSION = "1.5.0"
3
3
  end
@@ -53,7 +53,12 @@ module Rack
53
53
  end
54
54
 
55
55
  def expired?(claims)
56
- Time.now.to_i > (claims['iat'] + claims['exp'])
56
+ now = Time.now.to_i - 30 # 30 second clock jitter allowance
57
+ if claims['iat'] <= claims['exp']
58
+ now > claims['exp']
59
+ else
60
+ now > (claims['iat'] + claims['exp'])
61
+ end
57
62
  end
58
63
 
59
64
  def should_validate_token?(claims)
@@ -21,12 +21,12 @@ Gem::Specification.new do |spec|
21
21
  spec.required_ruby_version = '>= 2.3'
22
22
 
23
23
  spec.add_development_dependency 'bundler', '~> 2.0'
24
- spec.add_development_dependency 'rake', '~> 10.0'
24
+ spec.add_development_dependency 'rake', '~> 12.3.3'
25
25
  spec.add_development_dependency 'coveralls', '~> 0'
26
26
  spec.add_development_dependency 'guard'
27
27
  spec.add_development_dependency 'guard-minitest'
28
28
 
29
29
  spec.add_dependency 'rack', '>= 1.5.2'
30
30
  spec.add_dependency 'json', '>= 1.8.1'
31
- spec.add_dependency 'json-jwt', '~> 1.9.4'
31
+ spec.add_dependency 'json-jwt', '~> 1.11.0'
32
32
  end
@@ -169,4 +169,17 @@ describe PrxAuth::ResourceMap do
169
169
  assert map.as_json.has_key?('*')
170
170
  end
171
171
  end
172
+
173
+ describe '#[]' do
174
+ it 'automatically stringifies' do
175
+ refute_nil map[123]
176
+ end
177
+ end
178
+
179
+ describe '#[]=' do
180
+ it 'automatically stringifies' do
181
+ map[789] = PrxAuth::ScopeList.new("")
182
+ refute_nil map["789"]
183
+ end
184
+ end
172
185
  end
@@ -70,6 +70,12 @@ describe PrxAuth::ScopeList do
70
70
  sl = new_list('one two') - nil
71
71
  assert sl.contains?(:one) && sl.contains?(:two)
72
72
  end
73
+
74
+ it 'maintains dashes and capitalization in the result' do
75
+ sl = new_list('The-Beginning the-middle the-end') - new_list('the-Middle')
76
+ assert sl.to_s == 'The-Beginning the-end'
77
+ end
78
+
73
79
  end
74
80
 
75
81
  describe '#+' do
@@ -98,5 +104,26 @@ describe PrxAuth::ScopeList do
98
104
  sl = new_list('one') & nil
99
105
  assert !sl.contains?(:one)
100
106
  end
107
+
108
+ it 'works when either side has non-namespaced values correctly' do
109
+ sl = PrxAuth::ScopeList.new('foo:bar') & PrxAuth::ScopeList.new('bar')
110
+ assert sl.contains?(:foo, :bar)
111
+ refute sl.contains?(:bar)
112
+
113
+ sl = PrxAuth::ScopeList.new('bar') & PrxAuth::ScopeList.new('foo:bar')
114
+ assert sl.contains?(:foo, :bar)
115
+ refute sl.contains?(:bar)
116
+ end
117
+ end
118
+
119
+ describe '==' do
120
+
121
+ it 'is equal when they are functionally equal' do
122
+ assert_equal PrxAuth::ScopeList.new("foo ns:foo bar ns2:baz"), PrxAuth::ScopeList.new("ns2:baz bar foo")
123
+ end
124
+
125
+ it 'is not equal when they are not functionally equal' do
126
+ refute_equal PrxAuth::ScopeList.new("foo bar"), PrxAuth::ScopeList.new("foo:bar bar:foo")
127
+ end
101
128
  end
102
129
  end
@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
5
5
  let(:prxauth) { Rack::PrxAuth.new(app) }
6
6
  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
7
7
  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
8
- let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
8
+ let(:iat) { Time.now.to_i }
9
+ let(:exp) { 3600 }
10
+ let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
9
11
 
10
12
  describe '#call' do
11
13
  it 'does nothing if there is no authorization header' do
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
59
61
  end
60
62
  end
61
63
 
62
- describe '#token_expired?' do
63
- it 'returns true if token is expired' do
64
- claims['iat'] = Time.now.to_i - 4000
64
+ describe '#expired?' do
65
65
 
66
- assert prxauth.send(:expired?, claims) == true
66
+ def expired?(claims)
67
+ prxauth.send(:expired?, claims)
67
68
  end
68
69
 
69
- it 'returns false if it is valid' do
70
- assert prxauth.send(:expired?, claims) == false
70
+ describe 'with a malformed exp' do
71
+ let(:iat) { Time.now.to_i }
72
+ let(:exp) { 3600 }
73
+
74
+ it 'is expired if iat + exp are in the past' do
75
+ claims['iat'] -= 3631
76
+
77
+ assert expired?(claims)
78
+ end
79
+
80
+ it 'is not expired if iat + exp are in the future' do
81
+ claims['iat'] = Time.now.to_i - 3599
82
+
83
+ refute expired?(claims)
84
+ end
85
+
86
+ it 'allows a 30s clock jitter' do
87
+ claims['iat'] = Time.now.to_i - 3629
88
+
89
+ refute expired?(claims)
90
+ end
91
+ end
92
+
93
+ describe 'with a corrected exp' do
94
+ let(:iat) { Time.now.to_i - 3600 }
95
+ let(:exp) { Time.now.to_i + 1 }
96
+
97
+ it 'is not expired if exp is in the future' do
98
+ refute expired?(claims)
99
+ end
100
+
101
+ it 'is expired if exp is in the past (with 30s jitter grace)' do
102
+ claims['exp'] = Time.now.to_i - 31
103
+ assert expired?(claims)
104
+ claims['exp'] = Time.now.to_i - 29
105
+ refute expired?(claims)
106
+ end
71
107
  end
72
108
  end
73
109
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: prx_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eve Asher
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2020-08-05 00:00:00.000000000 Z
12
+ date: 2020-10-19 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -31,14 +31,14 @@ dependencies:
31
31
  requirements:
32
32
  - - "~>"
33
33
  - !ruby/object:Gem::Version
34
- version: '10.0'
34
+ version: 12.3.3
35
35
  type: :development
36
36
  prerelease: false
37
37
  version_requirements: !ruby/object:Gem::Requirement
38
38
  requirements:
39
39
  - - "~>"
40
40
  - !ruby/object:Gem::Version
41
- version: '10.0'
41
+ version: 12.3.3
42
42
  - !ruby/object:Gem::Dependency
43
43
  name: coveralls
44
44
  requirement: !ruby/object:Gem::Requirement
@@ -115,14 +115,14 @@ dependencies:
115
115
  requirements:
116
116
  - - "~>"
117
117
  - !ruby/object:Gem::Version
118
- version: 1.9.4
118
+ version: 1.11.0
119
119
  type: :runtime
120
120
  prerelease: false
121
121
  version_requirements: !ruby/object:Gem::Requirement
122
122
  requirements:
123
123
  - - "~>"
124
124
  - !ruby/object:Gem::Version
125
- version: 1.9.4
125
+ version: 1.11.0
126
126
  description: Specific to PRX. Will ignore tokens that were not issued by PRX.
127
127
  email:
128
128
  - eve@prx.org